This error occurs if the JSON Web Token (JWT) specified in the element of the Decode JWT policy is malformed, invalid or otherwise not decodable.
A properly structured JWT should contain a header, payload and signature in the following format: header.payload.signature. If the JWT passed to the DecodeJWT policy is missing a component part, then you will get the error. For example, if the JWT has only payload.signature, but is missing its header, the error will occur.
Diagnosis
Identify the variable specified in the element of the Decode JWT policy. This variable should contain the JWT.
Here's a sample Decode JWT policy:
JWT Verify HS256request.header.authorizationfalse
In the above example, the JWT should be contained in the Authorization request header.
Examine the variable identified in Step 1 and check to see if the JWT it contains is valid. If the input JWT is not valid, then that's the cause for the error.
In the example API request below, the input JWT is passed in the Authorization request header:
Where $EXTERNAL_IP is the IP address of the external load balancer.
This IP address is exposed to the internet. For more information, see
Customize access routing.
Close examination of the JWT shows that it has the format payload.signature which is invalid. The expected format of the JWT is header.payload.signature. As a result, the Decode JWT policy fails with the error :
"faultstring": "Failed to Decode Token: policy({0})"
Resolution
Ensure that the JWT passed to the Decode JWT policy contains all three elements, is correctly formatted and is decodable.
To correct the example shown above, you can pass in a valid JWT with the format header.payload.signature. This can be done by making the API call using the cURL command as follows:
Where $EXTERNAL_IP is the IP address of the external load balancer.
This IP address is exposed to the internet. For more information, see
Customize access routing.
This error occurs if the flow variable specified in the element of the Decode JWT policy is:
out of scope (not available in the specific flow where the policy is being executed) or
can't be resolved (is not defined)
Diagnosis
Identify the variable specified in the element of the Decode JWT policy. This variable should contain the JWT.
Here's a sample Decode JWT policy:
JWT Verify HS256request.header.authorizationfalse
In the example above, the Authorization request header should contain the JWT.
Determine if the variable identified in Step 1 is defined and available in the flow in which the Decode JWT policy is executed.
If the variable is either:
out of scope (not available in the specific flow where the policy is being executed) or
can't be resolved (is not defined)
then that's the cause for the error.
In the example API request below, the JWT is not passed in the authorization request header by the user.
curl -v "http://$EXTERNAL_IP/v1/decodeJWT"
Where $EXTERNAL_IP is the IP address of the external load balancer.
This IP address is exposed to the internet. For more information, see
Customize access routing.
Because the authorization request header is not passed, the Decode JWT policy fails with the error:
```
"faultstring": "Invalid token: policy({0})"
```
Resolution
Ensure that the variable referenced in the element of the Decode JWT policy is defined, contains a valid (decodable) JWT and is available in the specific flow where the Decode JWT policy is being executed.
To correct the example shown above, you can pass a valid JWT in the request authorization header. This can be done by making the API call using the cURL command as follows:
Where $EXTERNAL_IP is the IP address of the external load balancer.
This IP address is exposed to the internet. For more information, see
Customize access routing.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-06-12 UTC."],[[["This document provides troubleshooting guidance for common errors encountered with Apigee's Decode JWT policy, specifically `FailedToDecode` and `InvalidToken`."],["The `FailedToDecode` error occurs when the JWT in the `\u003cSource\u003e` element is malformed or missing necessary components like the header, payload, or signature, which can be resolved by ensuring the JWT is correctly formatted as `header.payload.signature`."],["The `InvalidToken` error occurs if the variable specified in the `\u003cSource\u003e` element of the Decode JWT policy is out of scope or not defined, and can be resolved by ensuring a valid JWT is present in a defined variable."],["To diagnose either error, identify the variable in the Decode JWT policy's `\u003cSource\u003e` element and check if it contains a valid, properly formatted, and decodable JWT."],["Both of these errors can be corrected by passing a valid, properly formatted JWT (like `header.payload.signature`) in the expected variable, such as the Authorization request header, as demonstrated in the provided cURL examples."]]],[]]
