What validity tests make sense on client side

What can I do to test validity of a JWT on the client side. I realise that I can NOT test against the secret key.

Tests I can think of:

  • three sections
  • header and the body need to represent json objects

Are there any rules on length/structure of signature? Anything I’m missing?

Beyond being able to access the fields of the body, so any other tests make sense - at the end of the day an invalid jwt will be rejected by the server when it is used

If you’re using RS256 id_token’s, then you can use GitHub - auth0/idtoken-verifier: Lightweight RSA JWT verification to validate them.