const jwt = require("jsonwebtoken");
const SECRET = "superSuperSecret";

module.exports = function(req, res, next) {
    const token = req.body.token || req.query.token || req.headers[ "x-access-token" ];
    if (token) {
        return jwt.verify(token, SECRET, function(err, decoded) {
            if (err) {
                return res.json({
                    success: false,
                    message: "Failed to authenticate token.",
                });
            }
            req.user = decoded;
            return next();
        });
    }
    return res.unauthorized();
};

I'm using Postman to test my API. I setup the header with a x-access-token key and the value superSuperSecret. I got the error {"name":"JsonWebTokenError","message":"jwt malformed","level":"error"}. I'm using this https://github.com/FortechRomania/express-mongo-example-project/blob/master/src/middlewares/validateToken.js

You cannot pass any value as token. You need jwt.sign() to create a token. Look at the documentation of JWT for more information.

Also,

For the request Header name just use Authorization not x-access-token. Place Bearer before the Token.

Authorization: Bearer TOKEN_STRING

Each part of the JWT is a base64url encoded value. You can get your token as:

var token = req.headers.authorization.split(' ')[1];

Note :

JWT will return jwt malformed If Token is null that is being passed to jwt.verifty function

let token = null;
let payload = jwt.verify(token, 'secretKey'); // ERROR : jwt malformed

From what I see, you are not sending the actual JWT token but the secret instead. A valid JWT token consist of a three-part string delimited by dots, like so:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

https://jwt.io/

As you can see on the above website, 'superSuperSecret' is not a valid JWT token.