Skip to content
TextArray

How to decode a JWT safely and verify its authenticity

Blog /

JSON Web Tokens (JWTs) are used everywhere—in authentication, API requests, and secure data exchange—but many developers treat them as opaque black boxes. Decoding a JWT is simple, but trusting it without verification is a security risk. This guide shows you how to inspect tokens safely and understand what you're actually working with.

What is a JWT?

A JWT is three base64-encoded sections separated by dots: header.payload.signature. The header describes the token type and algorithm, the payload contains claims (user data), and the signature proves the token hasn't been tampered with. The payload is human-readable once decoded, but that doesn't mean it's trustworthy—anyone can forge or modify the data inside.

Why decoding alone isn't enough

Attackers can craft a valid-looking JWT and change the claims inside. A token that decodes to valid JSON might grant false permissions or impersonate another user. The critical step is verifying the signature against the server's secret key—without that check, a decoded token tells you what the token claims, not what's actually true.

How to decode a JWT

Use the JWT decoder to inspect any token. Paste the token and you'll immediately see the header, payload, and signature separated. The payload is typically base64url-encoded, and the Base64 tool can help you decode additional data if needed. This visual breakdown makes it clear what information the token contains and whether it makes sense for its intended use.

Verifying the signature

After decoding, you need to verify the token is genuine. This requires the server's secret key or public key (for asymmetric algorithms). You can manually verify a signature by recalculating it—take the header and payload, sign them with the same algorithm and key, and compare the result to the signature section. A hash generator can help you understand how cryptographic signatures are created, though most verification happens server-side in real applications.

Privacy and security

When you decode a JWT in the JWT decoder, the entire process happens in your browser. Your token never leaves your device, never reaches a server, and is never logged anywhere. The tool works offline after the page loads, so you can safely inspect sensitive tokens without network exposure. This matters because JWTs often contain user IDs, permissions, or other data you don't want transmitted to third parties.

Common mistakes to avoid