JWT Token
Decoded Token
Header
Payload
Signature
Claims
| Claim | Value | Description |
|---|
How to decode a JWT token in JavaScript, Python, Java, Go or C#
Decoding is not the same as verifying. Decoding just Base64URL-splits the three token sections and parses JSON. Verifying checks the signature against a secret or public key. Never trust decoded claims without verifying first.
Decode + verify in production code:
// Node.js / TypeScript — jsonwebtoken
const jwt = require('jsonwebtoken');
// Decode without verifying (quick inspection)
const decoded = jwt.decode(token, { complete: true });
console.log(decoded.header, decoded.payload);
// Verify + decode
try {
const payload = jwt.verify(token, secretOrPublicKey);
} catch (e) {
// expired, bad signature, wrong alg, etc.
}
# Python — PyJWT
import jwt
payload = jwt.decode(token, key, algorithms=['HS256', 'RS256'],
audience='your-api', issuer='your-auth-server')
// Java — jjwt (io.jsonwebtoken)
Jws<Claims> claims = Jwts.parserBuilder()
.setSigningKey(key)
.build()
.parseClaimsJws(token);
Claims payload = claims.getBody();
// Go — golang-jwt/jwt
token, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
return secretKey, nil
})
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
fmt.Println(claims["sub"])
}
// C# / .NET — System.IdentityModel.Tokens.Jwt
var handler = new JwtSecurityTokenHandler();
var token = handler.ReadJwtToken(jwtString);
var claim = token.Claims.FirstOrDefault(c => c.Type == "sub");
JWT security checklist — 8 things to verify on every token
- Algorithm whitelist — never accept
alg: none, never accept an algorithm the server didn't issue. Hard-code the expected alg (HS256orRS256) rather than reading from the token header. - Signature verification — always check before trusting any claim. Decoding is not verification.
- exp (expiration) — must be in the future. Library should enforce by default, but confirm.
- nbf (not before) — must be in the past. Protects against tokens issued with a future activation time.
- iat (issued at) — sanity-check isn't in the future (clock skew).
- iss (issuer) — matches the auth server you trust, not some other issuer.
- aud (audience) — matches your API identifier, not a different microservice's ID.
- Token replay — for bearer tokens, either rotate frequently or track the
jticlaim server-side to detect reuse.
Tools like Auth0's express-oauth2-jwt-bearer middleware enforce all eight automatically. Rolling your own JWT validation is an easy place to get it wrong.
Frequently Asked Questions
What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties, commonly used for authentication and authorization.
Is it safe to decode JWT tokens online?
Yes, JWT decoding only reads the publicly visible header and payload — no secret key is needed. Our tool runs entirely in your browser; no data is sent to any server.
What does "alg: none" mean in a JWT?
The "none" algorithm means the token has no signature verification, which is a serious security vulnerability. Never accept tokens with alg:none in production.
Smarter quality checks. Faster deployments.
Better apps.
