---
title: Avoid disabling JWT signature verification
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid disabling JWT signature verification
---

# Avoid disabling JWT signature verification

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/jwt-insecure-decode`

**Language:** Rust

**Severity:** Warning

**Category:** Security

**CWE**: [347](https://cwe.mitre.org/data/definitions/347.html)

## Description{% #description %}

Calling `dangerous::insecure_decode()` or `Validation::insecure_disable_signature_validation()` from the `jsonwebtoken` crate bypasses JWT signature verification entirely. The token's claims are decoded and accepted without checking the signature, so an attacker can forge any token by editing the payload and re-encoding it. Always validate signatures with a strong algorithm such as `RS256`, `ES256`, or `HS256`.

#### Learn More{% #learn-more %}

- [CWE-347: Improper Verification of Cryptographic Signature](https://cwe.mitre.org/data/definitions/347.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use jsonwebtoken::{Algorithm, Validation};

fn invalid(token: &str) -> Result<(), Box<dyn std::error::Error>> {
    // Unqualified dangerous::insecure_decode
    let _ = dangerous::insecure_decode::<serde_json::Value>(token)?;

    // Fully qualified
    let _ = jsonwebtoken::dangerous::insecure_decode::<serde_json::Value>(token)?;

    // Method form on a fresh Validation
    let _ = Validation::new(Algorithm::HS256).insecure_disable_signature_validation();

    // Method form on a variable
    let mut validation = Validation::new(Algorithm::HS256);
    validation.insecure_disable_signature_validation();

    Ok(())
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};

fn valid(token: &str, key: &DecodingKey) -> Result<(), Box<dyn std::error::Error>> {
    // Normal verifying decode where signature is checked
    let validation = Validation::new(Algorithm::HS256);
    let _ = decode::<serde_json::Value>(token, key, &validation)?;

    // A regular `decode` call (not the dangerous module)
    let _ = jsonwebtoken::decode::<serde_json::Value>(token, key, &validation)?;

    Ok(())
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}