JWT Validate
This page is no longer maintained (Nov 12, 2025). For the most current information, go to https://docs.snaplogic.com/snaps/snaps-core/sp-jwt/snap-jwt-validate.html.
In this article
Overview
This Snap validates JSON Web Tokens. Together with JWT Validate Snap, this Snap allows pipelines to use limited scope tokens. This Snap uses the JWT Account. This Snap verifies:
The token signature (by using the secret or trusted certificate a with public key from the associated JWTAccount) and the algorithm specified in token header.
If the token is still valid or if it has expired.
If the "audience" property is specified, the audience in the token payload will be compared with the snap property, and the validation will only succeed if at least one of the values match.
Algorithms currently supported by the Snap:
AES ALGORITHMS:
JWSAlgorithm.HS256,JWSAlgorithm.HS384,JWSAlgorithm.HS512,
RSA ALGORITHMS:
JWSAlgorithm.RS256,JWSAlgorithm.RS384,JWSAlgorithm.RS512,JWSAlgorithm.PS256,JWSAlgorithm.PS384,JWSAlgorithm.PS512;
Snap Type
The JWT Validate Snap is a Flow-type Snap.
Support for Ultra Tasks
Works in Ultra Pipelines.
Limitations and Known Issues
This Snap has been tested with tokens generated using the JWT Validate Snap. Validating tokens generated using other methods has not been tested.
Snap Views
Type | Examples of Upstream and Downstream Snaps | Description |
|---|---|---|
Input | Mapper | This Snap has at most one document input view. This Snap can have an upstream Snap that passes in the access token. Alternatively, this Snap could be the first Snap in a pipeline and receive the token in an HTTP Header or HTTP Request body. |
Output |
| This Snap has exactly one document output view. This Snap outputs a document that contains all the claims found in the token. The downstream Snap could take this information and do additional validation or filtering. Since triggered and scheduled tasks do not support custom HTTP headers, the token should be passed in the request body for those types of tasks. |
Error | Error handling is a generic way to handle errors without losing data or failing the Snap execution. You can handle the errors that the Snap might encounter when running the pipeline by choosing one of the following options from the When errors occur list under the Views tab:
Learn more about Error handling in Pipelines. | |
Snap Settings
Asterisk (*): Indicates a mandatory field.
Suggestion icon (): Indicates a list that is dynamically populated based on the configuration.
Expression icon (): Indicates whether the value is an expression (if enabled) or a static value (if disabled). Learn more about Using Expressions in SnapLogic.
Add icon ( ): Indicates that you can add fields in the field set.
Remove icon (): Indicates that you can remove fields from the field set.
Field | Field Type | Description |
|---|---|---|
Label
| String | Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline. Default value: JWT Validate |
Audience | String/Expression | The asset that the token should be valid for. It can be a string or list of strings. If a single value is specified, it must match the "audience" value in the JWT token for the validation to succeed. If a list of values is specified, at least one the values specified in this property should match at least one of the values in the token. Default value: pipe.projectPath |
Access token | String/Expression | Required. The token to validate. Default value: [None] |
Snap Execution | Dropdown list | Select one of the following three modes in which the Snap executes:
Default Value: Execute only |
Examples
Basic Use Case
The pipeline below shows a standalone JWT Validate Snap (it contains a hardcoded token for demo purposes).
Note that:
The Audience property is set to a string value of "sales". This means that the JWT must contain an "audience" claim, and one of those values must be "sales".
The Access token property refers to pipeline parameter (_access_token).
The preview shows the output when a JWT has been successfully validated and the token has been decoded.
Typical Snap Configurations
The Access token parameter must always be present. Since it is an expression, it can refer to pipeline parameter, input document parameter or a plain string.
The Audience parameter is optional. If left empty, the Snap will not perform any checks against the "audience" parameter in the token (It'll still check for a valid token signature and expiration).
Advanced Use Case
This Snap can be used at the start of a pipeline to limit access. By configuring the "audience" parameter, the pipeline will only allow calls with access token that contains that "audience" parameter.
Following on from the Advanced Use Case in JWT Generate Snap documentation, let us assume that we want to allow calls associated with "sales" department only. Further, let us assume that we only want to allow calls when "age" is greater than 21.
The JWT Validate Snap is configured as shown in the "Typical Snap Configuration" section above.
If a token was generated for a different audience (for e.g. "Engineering"), then the Snap validation fails.
With a valid token, the Validation succeeds and the contents of the decoded JWT are written to the output document.
The next step after JWT Validate can perform further filtering or validation. In this example, we configure a Filter snap to only pass calls with an "age" value of greater than 21.
Downloads
You'll need to create a Configuring JWT Accounts to use for this sample. Use the attached jwt-keystore.jks file to create one.
(The keystore was created using keytool for demo purposes. It contains one symmetric key with alias: jwt password: jwtpasswd)
Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2025 SnapLogic, Inc.