diff --git a/platypush/user/__init__.py b/platypush/user/__init__.py
index 6568b2cf..149c8765 100644
--- a/platypush/user/__init__.py
+++ b/platypush/user/__init__.py
@@ -198,6 +198,7 @@ class UserManager:
         payload = json.dumps(
             {
                 'username': username,
+                'password': password,
                 'created_at': datetime.datetime.now().timestamp(),
                 'expires_at': expires_at.timestamp() if expires_at else None,
             },
@@ -209,8 +210,7 @@ class UserManager:
             rsa.encrypt(payload.encode('ascii'), pub_key)
         ).decode()
 
-    @staticmethod
-    def validate_jwt_token(token: str) -> Dict[str, str]:
+    def validate_jwt_token(self, token: str) -> Dict[str, str]:
         """
         Validate a JWT token.
 
@@ -243,6 +243,14 @@ class UserManager:
         if expires_at and time.time() > expires_at:
             raise InvalidJWTTokenException('Expired JWT token')
 
+        user = self.authenticate_user(
+            payload.get('username', ''),
+            payload.get('password', '')
+        )
+
+        if not user:
+            raise InvalidCredentialsException()
+
         return payload
 
     def _get_db_session(self):