diff --git a/platypush/backend/http/app/routes/auth.py b/platypush/backend/http/app/routes/auth.py
index b59561d06a..cfdc30e7e0 100644
--- a/platypush/backend/http/app/routes/auth.py
+++ b/platypush/backend/http/app/routes/auth.py
@@ -50,7 +50,6 @@ def auth_endpoint():
     except Exception as e:
         log.warning('Invalid payload passed to the auth endpoint: ' + str(e))
         abort(400)
-        return jsonify({'token': None})
 
     expiry_days = payload.get('expiry_days')
     expires_at = None
@@ -65,4 +64,3 @@ def auth_endpoint():
         })
     except UserException as e:
         abort(401, str(e))
-        return jsonify({'token': None})
diff --git a/platypush/user/__init__.py b/platypush/user/__init__.py
index ecbab91f60..7d268b592d 100644
--- a/platypush/user/__init__.py
+++ b/platypush/user/__init__.py
@@ -230,6 +230,7 @@ class UserManager:
         payload = json.dumps(
             {
                 'username': username,
+                'password': password,
                 'created_at': datetime.datetime.now().timestamp(),
                 'expires_at': expires_at.timestamp() if expires_at else None,
             },
@@ -241,8 +242,7 @@ class UserManager:
             rsa.encrypt(payload.encode('ascii'), pub_key)
         ).decode()
 
-    @staticmethod
-    def validate_jwt_token(token: str) -> Dict[str, str]:
+    def validate_jwt_token(self, token: str) -> Dict[str, str]:
         """
         Validate a JWT token.
 
@@ -275,6 +275,14 @@ class UserManager:
         if expires_at and time.time() > expires_at:
             raise InvalidJWTTokenException('Expired JWT token')
 
+        user = self.authenticate_user(
+            payload.get('username', ''),
+            payload.get('password', '')
+        )
+
+        if not user:
+            raise InvalidCredentialsException()
+
         return payload
 
     def _authenticate_user(self, session, username, password):