Many modern web applications, both client-side and server-side, use JSON Web Tokens (JWTs) for authentication, which is an excellent approach. However, when things don’t work, it can be tricky to work out why.

This post aims to give you some tactics for understanding and correcting problems with JWTs. If you’re just getting started, check out the  documentation on working with JWTs and our APIs first.

Does Your JSON Web Token Look Plausible?

Sometimes the problem is as simple as knowing whether you even passed the right value into the right place, the equivalent to “is it plugged in?” question.

So, add a little debugging to your code to output the JWT somewhere you can see, such as your error log or console.

Then take a look for the following:

• Does this look like a token? It should be three sets of garbled-looking alphanumeric strings (technically, upper and lower case characters, numeric digits, + and / are permitted, with = used for padding), separated by dots.
• Is there whitespace around it, including a newline at the end? Pesky, errant whitespaces can trip up some tools.
• Is it there at all? I have mistyped a variable name and regenerated the token a few times before realising that the problem is me, not the token.

If the token passes visual inspection, then we need to get out some more specific tools.

#json #json web tokens #jwts #security #tips and tricks