Keats · arckoor · Jun 20, 2026 · Jun 19, 2026
diff --git a/src/decoding.rs b/src/decoding.rs
@@ -280,7 +280,7 @@ pub fn decode<T: DeserializeOwned>(
     let token = token.as_ref();
     let header = decode_header(token)?;
 
-    if validation.validate_signature && !validation.algorithms.contains(&header.alg) {
+    if !validation.algorithms.contains(&header.alg) {
         return Err(new_error(ErrorKind::InvalidAlgorithm));
     }
 
@@ -334,25 +334,21 @@ pub(crate) fn verify_signature_body(
     validation: &Validation,
     verifying_provider: Box<dyn JwtVerifier>,
 ) -> Result<()> {
-    if validation.validate_signature && validation.algorithms.is_empty() {
+    if validation.algorithms.is_empty() {
         return Err(new_error(ErrorKind::MissingAlgorithm));
     }
 
-    if validation.validate_signature {
-        for alg in &validation.algorithms {
-            if verifying_provider.algorithm().family() != alg.family() {
-                return Err(new_error(ErrorKind::InvalidAlgorithm));
-            }
+    for alg in &validation.algorithms {
+        if verifying_provider.algorithm().family() != alg.family() {
+            return Err(new_error(ErrorKind::InvalidAlgorithm));
         }
     }
 
-    if validation.validate_signature && !validation.algorithms.contains(&header.alg) {
+    if !validation.algorithms.contains(&header.alg) {
         return Err(new_error(ErrorKind::InvalidAlgorithm));
     }
 
-    if validation.validate_signature
-        && verifying_provider.verify(message, &b64_decode(signature)?).is_err()
-    {
+    if verifying_provider.verify(message, &b64_decode(signature)?).is_err() {
         return Err(new_error(ErrorKind::InvalidSignature));
     }
 

diff --git a/src/validation.rs b/src/validation.rs
@@ -103,9 +103,6 @@ pub struct Validation {
     ///
     /// Defaults to `vec![Algorithm::HS256]`.
     pub algorithms: Vec<Algorithm>,
-
-    /// Whether to validate the JWT signature. Very insecure to turn that off
-    pub(crate) validate_signature: bool,
 }
 
 impl Validation {
@@ -136,8 +133,6 @@ impl Validation {
             iss: None,
             sub: None,
             aud: None,
-
-            validate_signature: true,
         }
     }
 
@@ -161,17 +156,6 @@ impl Validation {
     pub fn set_required_spec_claims<T: ToString>(&mut self, items: &[T]) {
         self.required_spec_claims = items.iter().map(|x| x.to_string()).collect();
     }
-
-    /// Whether to validate the JWT cryptographic signature.
-    /// Disabling validation is dangerous, only do it if you know what you're doing.
-    /// With validation disabled you should not trust any of the values of the claims.
-    #[deprecated(
-        since = "10.1.0",
-        note = "Use `jsonwebtoken::dangerous::insecure_decode` if you require this functionality."
-    )]
-    pub fn insecure_disable_signature_validation(&mut self) {
-        self.validate_signature = false;
-    }
 }
 
 impl Default for Validation {

diff --git a/tests/hmac.rs b/tests/hmac.rs
@@ -1,5 +1,5 @@
-#![allow(deprecated)]
 use jsonwebtoken::Extras;
+use jsonwebtoken::dangerous::insecure_decode;
 use serde::{Deserialize, Serialize};
 use time::OffsetDateTime;
 use wasm_bindgen_test::wasm_bindgen_test;
@@ -268,41 +268,14 @@ fn decode_header_only() {
 #[wasm_bindgen_test]
 fn dangerous_insecure_decode_valid_token() {
     let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.9r56oF7ZliOBlOAyiOFperTGxBtPykRQiWNFxhDCW98";
-    let mut validation = Validation::new(Algorithm::HS256);
-    validation.insecure_disable_signature_validation();
-    let claims = decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation);
-    claims.unwrap();
+    insecure_decode::<Claims>(&token).unwrap();
 }
 
 #[test]
 #[wasm_bindgen_test]
 fn dangerous_insecure_decode_token_invalid_signature() {
     let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.wrong";
-    let mut validation = Validation::new(Algorithm::HS256);
-    validation.insecure_disable_signature_validation();
-    let claims = decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation);
-    claims.unwrap();
-}
-
-#[test]
-#[wasm_bindgen_test]
-fn dangerous_insecure_decode_token_wrong_algorithm() {
-    let token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.fLxey-hxAKX5rNHHIx1_Ch0KmrbiuoakDVbsJjLWrx8fbjKjrPuWMYEJzTU3SBnYgnZokC-wqSdqckXUOunC-g";
-    let mut validation = Validation::new(Algorithm::HS256);
-    validation.insecure_disable_signature_validation();
-    let claims = decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation);
-    claims.unwrap();
-}
-
-#[test]
-#[wasm_bindgen_test]
-fn dangerous_insecure_decode_token_with_validation_wrong_algorithm() {
-    let token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjk1MzI1MjQ4OX0.ONtEUTtP1QmyksYH9ijtPCaXoHjZVHcHKZGX1DuJyPiSyKlT93Y-oKgrp_OSkHSu4huxCcVObLzwsdwF-xwiAQ";
-    let mut validation = Validation::new(Algorithm::HS256);
-    validation.insecure_disable_signature_validation();
-    let claims = decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation);
-    let err = claims.unwrap_err();
-    assert_eq!(err.kind(), &ErrorKind::ExpiredSignature);
+    insecure_decode::<Claims>(&token).unwrap();
 }
 
 #[test]