diff --git a/backends/jwt_files.go b/backends/jwt_files.go
index 42fc49f..f5990d5 100644
--- a/backends/jwt_files.go
+++ b/backends/jwt_files.go
@@ -17,7 +17,7 @@ func NewFilesJWTChecker(authOpts map[string]string, logLevel log.Level, hasher h
 
 	/*	We could ask for a file listing available users with no password, but that gives very little value
 		versus just assuming users in the ACL file are valid ones, while general rules apply to any user.
-		Thus, padswords file makes no sense for JWT, we only need to check ACLs.
+		Thus, passwords file makes no sense for JWT, we only need to check ACLs.
 	*/
 	aclPath, ok := authOpts["jwt_acl_path"]
 	if !ok || aclPath == "" {
@@ -36,7 +36,8 @@ func NewFilesJWTChecker(authOpts map[string]string, logLevel log.Level, hasher h
 }
 
 func (o *filesJWTChecker) GetUser(token string) (bool, error) {
-	return false, nil
+	_, err := getUsernameForToken(o.options, token, o.options.skipUserExpiration)
+	return err == nil, nil
 }
 
 func (o *filesJWTChecker) GetSuperuser(token string) (bool, error) {
@@ -48,7 +49,7 @@ func (o *filesJWTChecker) CheckAcl(token, topic, clientid string, acc int32) (bo
 
 	if err != nil {
 		log.Printf("jwt get user error: %s", err)
-		return false, err
+		return false, nil
 	}
 
 	return o.checker.CheckAcl(username, topic, clientid, acc)
diff --git a/backends/jwt_test.go b/backends/jwt_test.go
index 795e041..4ff0dec 100644
--- a/backends/jwt_test.go
+++ b/backends/jwt_test.go
@@ -218,6 +218,59 @@ func TestFilesJWTChecker(t *testing.T) {
 		token, err := notPresentJwtToken.SignedString([]byte(jwtSecret))
 		So(err, ShouldBeNil)
 
+		invalidToken, err := notPresentJwtToken.SignedString([]byte("badsecret"))
+		So(err, ShouldBeNil)
+
+		expiredToken, err := expiredToken.SignedString([]byte(jwtSecret))
+		So(err, ShouldBeNil)
+
+		Convey("Given a valid token, it should correctly authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(token)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeTrue)
+		})
+
+		Convey("Given an invalid token, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(invalidToken)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
+		Convey("Given an expired token, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(expiredToken)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
+		Convey("Given an expired token with skip user expiration, it should anyway authenticate it", func() {
+			skipExpirationOptions := tkOptions
+			skipExpirationOptions.skipUserExpiration = true
+			filesChecker, err := NewFilesJWTChecker(authOpts, logLevel, hasher, skipExpirationOptions)
+			So(err, ShouldBeNil)
+
+			authenticated, err := filesChecker.GetUser(expiredToken)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeTrue)
+		})
+
+		Convey("Given a plain non-token format valid username, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(username)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
+		Convey("Given a plain non-token format random username, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser("somerandomuser")
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
 		Convey("Access should be granted for ACL mentioned users", func() {
 			tt, err := filesChecker.CheckAcl(token, "test/not_present", "id", 1)