Error Encyclopedia

JWT Malformed Error

Fix 'jwt malformed' errors when decoding or verifying JWT tokens. Learn the correct JWT format and how to debug invalid tokens.

What Does This Error Mean?

A 'jwt malformed' error means the token string does not match the required JWT format. A valid JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature. If the token has fewer or more than three segments, or the segments are not properly encoded, it will be rejected as malformed.

Common Causes

1

Token string contains whitespace or newline characters

2

Token is wrapped in quotes or other delimiters

3

Missing or extra dot separators in the token

4

Token was URL-encoded or HTML-entity encoded

5

Wrong token format (e.g., opaque session ID instead of JWT)

6

Token was truncated or corrupted in transit

How to Fix It

Inspect the token format

A valid JWT has exactly two dots separating three segments. Count the dots and check for extra characters.

// Check JWT format
const token = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dQw4w9WgXcQ"
const parts = token.split(".")
console.log(parts.length) // Should be 3

// Verify each part is valid Base64URL
const isValidBase64url = (str) => /^[A-Za-z0-9_-]+$/.test(str)

Clean the token before parsing

Remove whitespace, quotes, or encoding artifacts before using the token.

function cleanToken(raw) {
  return raw
    .replace(/^["']|["']$/g, "") // Remove surrounding quotes
    .replace(/\s/g, "")             // Remove whitespace
    .trim()
}

const token = cleanToken(authHeader.split(" ")[1])

Use a JWT debugger

Paste your token into a JWT decoder to inspect its structure and identify format issues.

// Use the JWT Decoder tool
// https://webutilslyce.com/security/jwt-decoder

// Or decode in Node.js
const decoded = jwt.decode(token, { complete: true })
if (!decoded) console.error("Malformed JWT")

Before & After Examples

❌ Before
// ❌ Token with newlines and quotes
const token = ""eyJhbGciOiJIUzI1NiJ9.\neyJzdWIiOiIxMjM0In0.\ndQw4w9WgXcQ""
✅ After
// ✅ Clean token
const token = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.dQw4w9WgXcQ"

Related Tools

Use these tools to debug and fix this error:

JWT Decoder

Decode and inspect JWT tokens instantly.

JWT Generator

Generate signed JWT tokens for testing with custom headers and payloads.

Base64 Encode/Decode

Encode or decode Base64 text instantly in your browser.

Related Guides

Deepen your understanding with these guides and tutorials:

JWT Explained

Related Errors

Other common errors in this category:

JWT Token Expired Error

Fix 'jwt expired' errors. Learn how JWT expiration works, how to check the exp claim, and implement token refresh flows.

JWT Invalid Signature Error

Fix 'invalid signature' JWT errors. Learn how JWT signatures work, why they fail, and how to use the correct secret key.

CSRF Token Mismatch Error

Fix 'CSRF token mismatch' errors in web forms and APIs. Learn how CSRF protection works and how to properly include tokens in requests.

Frequently Asked Questions

Can a valid JWT have fewer than three parts?

No. A JWT always has exactly three parts separated by two dots. Even unencrypted JWTs (alg: none) have all three parts (header.payload.signature), though the signature is an empty string.

Is a JWT the same as a Base64-encoded string?

No. While each part of a JWT is Base64URL-encoded, the full JWT has three segments separated by dots. A plain Base64-encoded string without dots is not a JWT.

Browse All Error Guides