JWT (JSON Web Tokens)

MockMotor implements JWT support natively.

Every reaction with Javascript has access to JWT library. That library is capable of generating, parsing and verifying JWT tokens.

XQuery-based reactions don't have JWT support yet. If you need it, please let me know.

MockMotor JWT API

JWT functions can be used in any reaction’s scriptable field.

Function Purpose Result Example
JWT.encode() Creates a JWT token from a header, payload and a secret. Takes the signature algorithm from the header’s alg field. Currently only HS256, HS384 and HS512 are supported. JWT token as string var token = JWT.encode(header,payload,"password123");
JWT.decode() Decodes a JWT token into JSON format. The operation doesn’t fail if the token is invalid, but it adds an error field to the resulting object. JSON with a header, payload and optionally error fields. var jwt = JWT.decode(JWT.token,"password123");
JWT.verify() Decodes and verifies JWT token into JSON format. Currently only HS256, HS384 and HS512 algorithms are supported. In case of the invalid token or an unsupported algorithm, the reaction fails with a hard error (HTTP 500). JSON with a header and payload fields. var jwt = JWT.verify(JWT.token,"password123");
JWT.token Contains JWT token as a string taken from Authorization: Bearer header or null. JWT Token if( JWT.token ){ ... }
JWT.header Contains JWT header as a JSON object taken from Authorization: Bearer header or empty object. JWT header var issuer = JWT.header.iss;
JWT.payload Contains JWT payload as a JSON object taken from Authorization: Bearer header or empty object. JWT payload var userId = JWT.payload.user;

If the request’s Authorization header doesn’t have a JWT, the JWT.token, JWT.header and JWT.payload are null.

Example: Generating a JWT

To implement a reaction that generates a JWT, we need to form JWT header and payload, and then sign it with a secret value (not-so-secret in this case - it’s just a mock!).

Look at this payload script:

var header = {
  "alg": "HS256",

var payload = {
  "userid": "john.doe"

var token = JWT.encode(header,payload,"qwerty");
output = {"token":token};

The response contains the generated JWT, like below:

  "token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyaWQiOiJqb2huLmRvZSJ9.CuScq77_iCP4XsYGCMgGnQiATOmQwu_rR1LEB2Pcd_I"

The function takes the signature algorithm from the header’s alg value, HS256 in this case.

(You can decode and verify this token at Auth0 JWT site.)

Example: Decoding JWT to Get User Login

Suppose we need to select a mock account based on login value passed in JWT payload.

We can use JWT.payload.login in the account selection. Before the reaction execution begins, MockMotor decodes the request’s Authorization: Bearer header into the JWT.payload JSON object, so you don’t need to decode it yourself.

Example: Verifying JWT is Valid

Sometimes you need to check if the passed JWT is valid.

For example, you may want to properly mock the exp (Expiration Time Claim) or nbf (Not Before Claim), and reject a request when the JWT is not yet valid or has already expired.

To verify a token a secret is required, and so MockMotor can’t do that automatically. You need to call to JWT.decode() or JWT.verify() in a reaction’s scripted field.

For example, here I implemented a “JWT Check” - a reaction that matches only when the token is invalid.

The JTW.decode() function takes the token JWT.token and a secret (password) and decodes the token into a JSON structure. However, if the token is invalid, it also adds an error field to that structure. If the reaction sees the error present (not null), it matches the request. This response has a status HTTP 401, effectively rejecting the call.

If, on the other hand, the token is valid, the reaction doesn’t match and is passed down to the next reaction which now doesn’t have to worry about the JWT validity.