Extension::Json JWTVerify Method


.JWTVerify as c (token as C, secret as C[,options as c])



JWT Token


Secret that token was hashed againstt.


Specify a Algorithm used to hash, or pass complext options.


Verify a javascript web token, return json if valid, otherwise return an empty string.


' First create a token	
dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!")
? token
= "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTQ3Nzc3OTA2M30.xwGMV_POhwEoj-mH1PsgscL-uqOfBMLnNsD2SsOtqXE"

' Verify will return JSON packet if the supplied secret is valid
? extension::JSON::JWTVerify(token,"shhhh!")
= {"fname":"john","lname":"public","iat":1477779063}

' Pass it an incorrect secret - and verify will return a blank string
? extension::JSON::JWTVerify(token,"boo!")
= ""

 Using the optional parameter to specifiy alternate algorithms.

The default behaviour is to try the various hash schemas, you can specify the exact hash schemes using a comma separated list.

dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!","HS512")
? token
= "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTQ4MzczNTY1MH0.EBW04-jWCb405BUzbSuzoq19pWiAo6gLKhHfPic2WBClD6TKKqPzfttYtzTEPr45JoxTmK8oIcYKaVg5FZ4CAg"

' We are using a different hash
? extension::JSON::JWTVerify(token,"shhhh!","HS256")
= ""

' So include the hash we are using
? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= {"fname":"john","lname":"public","iat":1483735650}

' Comma separated list of accepted hash encodings works as well.
? extension::JSON::JWTVerify(token,"shhhh!","HS256,HS512")
= {"fname":"john","lname":"public","iat":1483735650}

 More Complex Options

Just like the JWTSign method, JWTVerify can take complex options.

In the following example, we sign a token that expires in 30 seconds (this is from the JWTSign examples).

After the token has expired, the JWTVerify() default behaviour is to report the token is invalid, but there is an option 'ignoreexpiration' that allows us to decode the packet for expired tokens, this feature is useful for debugging to determine why verify failed.

dim optionsSign.algorithm as c = "HS512"
dim optionsSign.expiresin as n = 30
dim optionsjson as c  = json_generate(optionsSign)
? optionsjson
= {
	"algorithm": "HS512",
	"expiresin": 30

dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!",optionsjson)
? token
= "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTQ4Mzc0MDUzNCwiZXhwIjoxNDgzNzQwNTY0fQ.KMcq2PQWsu0ouqnaZRRAWFa73UOiWI09r4GkE6YWydqJEQYJxhPhkEoa2crLJvfcOxZV5JIN6RFXx0s0Mlk-sA"

? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= {"fname":"john","lname":"public","iat":1483740534,"exp":1483740564}

' Wait for 30 seconds
? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= ""

dim optionsVer.algorithms[1] as c = "HS512"
dim optionsVer.ignoreexpiration as l = .t.
dim optionsjson as c  = json_generate(optionsVer)
? optionsjson
= {
	"algorithms": [
	"ignoreexpiration": true

' Explicity ignore the expiration (can be used to determine if token is expired rather than using the wrong secret)
? extension::JSON::JWTVerify(token,"shhhh!",optionsjson)
= {"fname":"john","lname":"public","iat":1483740534,"exp":1483740564}

 Optional Fields




Optional character array - specifies which algorithms allowed.


Identifies the recipients that the JWT is intended for.


Identifies principal that issued the JWT.


Decode the token even if it is expired.


Decode the token even if it is not ready.


Identifies the subject of the JWT.


Number of seconds of error to tolerate on notbefore and expiration.