Extension::JsonJWTVerify Method


Extension::JSON::JWTVerify as c (token as C, secret as C[,options as c])



JWT Token


Secret that token was hashed against.

optionsCharacter JSON String

A comma-delimited list of hashes to use or a JSON string defining one or more of the following options:

algorithmsCharacter Array

A comma-delimited list of hashes.


Identifies the recipients that the JWT is intended for.


Identifies principal that issued the JWT.


Decode the token even if it is expired.


Decode the token even if it is not ready.


Identifies the subject of the JWT.


Number of seconds of error to tolerate on notbefore and expiration.



Returns JSON if valid, otherwise return the string "null".


Verifies a javascript web token.

' First create a token
dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!")
? token
= "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTY2MzE1OTI1OX0.sL1T91egdCSZPVoRF3Eye_2xi1Q85LzX8seLy4zTdpY"

' Verify will return JSON packet if the supplied secret is valid
? extension::JSON::JWTVerify(token,"shhhh!")
= {"fname":"john","lname":"public","iat":1663159259}

' Pass it an incorrect secret - and verify will return a blank string
? extension::JSON::JWTVerify(token,"boo!")
= "null"

Using the optional parameter to specify alternate algorithms.

By default, Extension::JSON::JWTVerify() will try various hash schemas. You can explicitly define the hash schemes to use as a comma-delimited list.

dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!","HS512")
? token
= "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTY2MzE1OTMxMn0.kK1WKMO-qKkZ4ez0bGB4bspB6HpZLk96DK_blVfy3yDEwvV6r0W1twXrifVM3cUR9J-IeuQt4E8mmYwI1M3OlQ"

' We are using a different hash
? extension::JSON::JWTVerify(token,"shhhh!","HS256")
= "null"

' So include the hash we are using
? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= {"fname":"john","lname":"public","iat":1663159312}

' Comma separated list of accepted hash encodings works as well.
? extension::JSON::JWTVerify(token,"shhhh!","HS256,HS512")
= {"fname":"john","lname":"public","iat":1663159312}

More Complex Options

Just like the JWTSign method, JWTVerify can take complex options.

The following example signs a token that expires in 30 seconds. After the token has expired, the JWTVerify() will report the token is invalid (returns "null"). You can use the 'ignoreexpiration' option to decode the expired tokens. The 'ignoreexpiration' option is useful for debugging cases where verified failed unexpectedly.

dim optionsSign as P
dim optionsSign.algorithm as c = "HS512"
dim optionsSign.expiresin as n = 30
dim optionsjson as c  = json_generate(optionsSign)
? optionsjson
= {
	"algorithm": "HS512",
	"expiresin": 30

dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!",optionsjson)
? token
= "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTY2MzE1OTQwNCwiZXhwIjoxNjYzMTU5NDM0fQ.TzyiihEB2JRhAalC6g6pKx2dtITADHqgyEU22Dt5Q3u7mXRQGyZC8euA9o9uq0WtsieYso6kqx5lABc-axLhTw"

? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= {"fname":"john","lname":"public","iat":1663159404,"exp":1663159434}

' Wait for 30 seconds
? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= "null"

dim optionsVer.algorithms[1] as c = "HS512"
dim optionsVer.ignoreexpiration as l = .t.
dim optionsjson as c  = json_generate(optionsVer)
? optionsjson
= {
	"algorithms": [
	"ignoreexpiration": true

' Explicity ignore the expiration (can be used to determine if token is expired rather than using the wrong secret)
? extension::JSON::JWTVerify(token,"shhhh!",optionsjson)
= {"fname":"john","lname":"public","iat":1663159404,"exp":1663159434}