TsgcHTTP_JWT_Server.IsJWTTokenValid
Click here to see this page in full context

TsgcHTTP_JWT_ServerMethods › IsJWTTokenValid

IsJWTTokenValid Method

Validates the Bearer token carried in the request: runs the full pipeline (OnJWTBeforeRequest, signature check, claim validations, OnJWTAfterValidateToken) and returns True when the token is accepted.

Overloads

Overload 1

Syntax

function IsJWTTokenValid(aConnection: TsgcWSConnection; aHeaders: TStringList): Boolean;

Parameters

NameTypeDescription
aConnectionTsgcWSConnectionConnection the request belongs to; passed through to every OnJWT* event so handlers can inspect the peer or per-connection state.
aHeadersTStringListRequest headers; the Bearer token is extracted from the Authorization header.

Return Value

True when OnJWTBeforeRequest sets Cancel=True (request bypasses JWT), or when the Authorization: Bearer token validates successfully; False when the header is missing, empty or the token fails validation. (Boolean)

Remarks

Entry point used by the HTTP/WebSocket server for each incoming request. Fires OnJWTBeforeRequest first (so the handler can short-circuit to True for routes that do not need JWT), then extracts the Bearer token from the Authorization header and delegates to the second overload.

Example


if oJWT.IsJWTTokenValid(aConnection, aRequest.RawHeaders) then
  // token accepted, continue processing request
else
  aResponse.ResponseNo := 401;

Overload 2

Syntax

function IsJWTTokenValid(aConnection: TsgcWSConnection; const aToken: String): Boolean;

Parameters

NameTypeDescription
aConnectionTsgcWSConnectionConnection the token is being validated for; forwarded to every OnJWT* event.
aTokenconst StringRaw JWT already stripped of the Bearer prefix (three base64url sections separated by dots).

Return Value

True when the token passes signature verification and all enabled claim validations (and OnJWTAfterValidateToken has not flipped Valid to False); False when OnJWTBeforeValidateToken sets Cancel=False and any step fails. (Boolean)

Remarks

Runs the full validation pipeline for a single token:

  1. Fires OnJWTBeforeValidateToken; if the handler sets Cancel=True the method returns False without validating.
  2. Calls DoValidateSignature — splits the token, reads alg from the header, verifies the signature with JWTOptions.Algorithms.HS/RS/ES. OnJWTBeforeValidateSignature fires just before the cryptographic check so the validation secret can be overridden per token.
  3. Runs JWTOptions.Validations claim checks (iat, nbf, exp).
  4. Fires OnJWTAfterValidateToken with the decoded Header, Payload and Error; the handler can flip the Valid flag.
  5. On any exception, fires OnJWTException and returns False.

Example


if oJWT.IsJWTTokenValid(aConnection, vBearerToken) then
  // token accepted
else
  // token rejected – send 401

Back to Methods