How to decode a JWT: the safe way in 2026
When working with JSON Web Tokens, or JWTs, I often find myself needing to decode them to understand their contents. A JWT is essentially a string consisting of three parts: a head
When working with JSON Web Tokens, or JWTs, I often find myself needing to decode them to understand their contents. A JWT is essentially a string consisting of three parts: a header, a payload, and a signature, all separated by dots. The header typically contains the algorithm used for signing, while the payload contains the actual data, such as user information. The signature is generated by signing the header and payload with a secret key.
To decode a JWT, you need to understand the Base64URL alphabet, which is a modified version of the standard Base64 alphabet. The main difference is that Base64URL uses hyphens and underscores instead of plus signs and slashes, making it more suitable for use in URLs. However, when working with JWTs, it's essential to handle them securely to avoid potential security risks.
#TL;DR
- A JWT consists of a header, a payload, and a signature, all separated by dots.
- To decode a JWT, you need to understand the Base64URL alphabet.
- You should never paste tokens into random websites to avoid potential security risks.
- Verifying the signature is crucial to ensure the token's authenticity.
- The real attack surface lies in the handling and storage of the secret key used for signing.
#Introduction to JWTs
A JWT is a compact, URL-safe means of representing claims to be transferred between two parties. The RFC 7519 specification defines the JWT structure and the processing rules. According to the spec, the header and payload are Base64URL-encoded, while the signature is generated using a secret key. To work with JWTs, you need to understand how to decode and verify them securely.
#Decoding a JWT
To decode a JWT, you can use a Base64URL decoder. However, you should never paste the token into a random website, as this can pose a significant security risk. Instead, you can use a trusted tool, such as a JWT decoder, to decode the token locally. For example, you can paste the token into our JWT decoder to decode the header and payload.
#Understanding the Base64URL Alphabet
The Base64URL alphabet is a modified version of the standard Base64 alphabet. It uses hyphens and underscores instead of plus signs and slashes, making it more suitable for use in URLs. You can use a Base64URL encoder and decoder, such as the one found at https://converterhub.dev/tools/base64-encode-decode, to work with Base64URL-encoded strings.
#Verifying the Signature
Verifying the signature is crucial to ensure the token's authenticity. The signature is generated using a secret key, and you need to use the same key to verify it. You can use a library or framework that supports JWT verification, such as the one defined in RFC 7515. For example, in Node.js, you can use the jsonwebtoken library to verify a JWT:
const jwt = require('jsonwebtoken');
const token = 'your_token_here';
const secretKey = 'your_secret_key_here';
jwt.verify(token, secretKey, (err, decoded) => {
if (err) {
console.log('Invalid token');
} else {
console.log('Token is valid');
}
});
#Common mistakes
- Pasting tokens into random websites to decode them
- Not verifying the signature before trusting the token
- Using a weak secret key for signing
- Not handling token expiration correctly
- Not validating the token's payload before using it
#FAQ
#Is Base64 encryption?
Base64 is not encryption, but rather a means of encoding binary data using a character set. It is often used to encode data that needs to be transferred over a text-based protocol, such as email or HTTP.
#How do I verify a JWT signature?
To verify a JWT signature, you need to use the same secret key that was used to generate the signature. You can use a library or framework that supports JWT verification to verify the signature.
#What is the difference between Base64 and Base64URL?
The main difference between Base64 and Base64URL is the character set used. Base64 uses plus signs and slashes, while Base64URL uses hyphens and underscores.
#Can I use a JWT decoder to decode any token?
No, a JWT decoder is specifically designed to decode JWTs. If you try to decode a token that is not a JWT, the decoder may not work correctly.
#How do I handle token expiration?
You should always check the token's expiration time before using it. If the token has expired, you should not trust it and should instead request a new token.
#Wrapping up
In conclusion, decoding a JWT requires understanding the Base64URL alphabet and verifying the signature to ensure the token's authenticity. You should never paste tokens into random websites to avoid potential security risks. By using a trusted tool, such as a JWT decoder, and following best practices for handling and storing secret keys, you can work with JWTs securely and effectively.