ByteTools Logo

JWT Decoding Guide: How to Decode and Verify JSON Web Tokens

Master JWT decoding and verification for secure authentication. Learn token structure, claims validation, signature verification, and security best practices.

Try Our JWT Decoder

Table of Contents

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web applications.

Why Use JWT?

Benefits

  • Stateless - No server-side session storage
  • Portable - Can be used across different domains
  • Compact - Small size for HTTP headers
  • Self-contained - Contains all necessary information

Considerations

  • Size - Larger than session IDs
  • Cannot revoke - Valid until expiration
  • Sensitive data - Payload is readable
  • Key management - Requires secure secret handling

JWT Structure

A JWT consists of three Base64-encoded parts separated by dots:

header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Contains metadata about the token:

{
"alg": "HS256",
"typ": "JWT"
}
  • alg: Signing algorithm
  • typ: Token type

Payload

Contains claims (statements about the user):

{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}
  • sub: Subject (user ID)
  • iat: Issued at time
  • exp: Expiration time

Signature

Verifies token integrity:

HMACSHA256(
base64UrlEncode(header) +
"." +
base64UrlEncode(payload),
secret
)
  • • Prevents tampering
  • • Requires secret key
  • • Verifies authenticity

JWT Decoding Process

Decoding a JWT involves extracting and parsing each part:

Step-by-Step Decoding

1

Split the Token

Separate the token at the dots (.) to get three parts

const [header, payload, signature] = token.split('.');
2

Base64 Decode

Decode each part from Base64URL encoding

const decodedHeader = JSON.parse(atob(header));
const decodedPayload = JSON.parse(atob(payload));
3

Parse JSON

Convert the decoded strings to JSON objects

// Now you have readable header and payload objects

Important Note

Decoding only reveals content - it doesn't verify authenticity. Always validate the signature on the server!

Understanding JWT Claims

Claims are statements about an entity (typically the user) and additional data:

Standard Claims

"iss" (Issuer)
Who issued the token
Example: "https://auth.example.com"
"sub" (Subject)
Who the token is about
Example: "user123" or "john@example.com"
"aud" (Audience)
Who should accept the token
Example: "api.example.com"
"exp" (Expiration)
When the token expires
Unix timestamp: 1704067200
"iat" (Issued At)
When the token was issued
Unix timestamp: 1704063600

Custom Claims

"name"
User's full name
Example: "John Doe"
"email"
User's email address
Example: "john@example.com"
"roles"
User's permissions/roles
Example: ["admin", "user"]
"permissions"
Specific permissions
Example: ["read:posts", "write:posts"]
"tenant_id"
Multi-tenant identifier
Example: "company-abc"

Security Reminder

Never include sensitive information like passwords, social security numbers, or private keys in JWT payload. The payload is only Base64-encoded, not encrypted!

Common Debugging Scenarios

"Token Expired" Errors

When users get authentication failures, check the token expiration:

// Check exp claim
const now = Math.floor(Date.now() / 1000);
const isExpired = payload.exp < now;

Debug Steps:

  • 1. Decode the JWT to see the exp claim
  • 2. Convert Unix timestamp to readable date
  • 3. Compare with current time
  • 4. Check token refresh logic

Permission Debugging

When users can't access resources, check roles and permissions:

// Check roles in payload
const userRoles = payload.roles || [];
const hasAdminRole = userRoles.includes('admin');

Debug Steps:

  • 1. Decode JWT and examine roles claim
  • 2. Check permissions array if present
  • 3. Verify role-to-permission mapping
  • 4. Test with different user accounts

Invalid Signature

When signature verification fails:

// Common causes:
- Wrong secret key
- Token was modified
- Different algorithm used

Debug Steps:

  • 1. Verify the signing algorithm in header
  • 2. Check if secret key matches
  • 3. Ensure token wasn't tampered with
  • 4. Validate key rotation timing

Malformed Token

When token structure is invalid:

// Valid JWT structure:
header.payload.signature
// Must have exactly 3 parts

Debug Steps:

  • 1. Count dots (.) - should be exactly 2
  • 2. Check for truncated tokens
  • 3. Verify Base64 encoding
  • 4. Test with a known good token

Security Best Practices

Security Do's

  • Use HTTPS - Always transmit JWTs over encrypted connections
  • Short expiration times - Use 15-60 minutes for access tokens
  • Strong secrets - Use cryptographically secure random keys
  • Validate all claims - Check iss, aud, exp on every request
  • Use refresh tokens - Implement proper token refresh flow
  • Store securely - Use secure, httpOnly cookies when possible

Security Don'ts

  • Don't store sensitive data - Payload is readable by anyone
  • Don't use weak secrets - Avoid predictable or short keys
  • Don't skip signature verification - Always validate server-side
  • Don't use "none" algorithm - Disabled unsigned tokens
  • Don't store in localStorage - Vulnerable to XSS attacks
  • Don't ignore expiration - Always check exp claim

Algorithm Security

Recommended

  • HS256 - HMAC with SHA-256
  • RS256 - RSA with SHA-256
  • ES256 - ECDSA with SHA-256

Deprecated

  • HS1 - Weak hash function
  • RS1 - Vulnerable to attacks
  • • Custom algorithms

Never Use

  • none - No signature
  • HS0 - No security
  • • MD5-based algorithms

Common Issues & Solutions

Clock Skew Issues

Problem:

Server and client clocks are out of sync, causing premature token expiration.

Solution:

  • • Add clock skew tolerance (usually 5 minutes)
  • • Use NTP to sync server clocks
  • • Implement proper time validation

Token Refresh Problems

Problem:

Users get logged out frequently due to short token lifetimes.

Solution:

  • • Implement refresh token flow
  • • Auto-refresh before expiration
  • • Use sliding expiration windows

Mobile App Considerations

Challenges:

  • • App backgrounding affects timers
  • • Network connectivity issues
  • • Secure storage limitations

Best Practices:

  • • Use device keychain/keystore
  • • Implement offline token validation
  • • Handle app lifecycle events

Testing Your JWT Implementation

Test Cases:

  • • Valid token acceptance
  • • Expired token rejection
  • • Invalid signature detection
  • • Malformed token handling

Security Tests:

  • • Algorithm confusion attacks
  • • None algorithm bypass
  • • Key confusion attacks
  • • Token replay attacks

Tools:

Ready to Decode Your JWT Tokens?

Use our secure JWT decoder with claim validation, signature verification, and detailed token analysis.

Start Decoding JWT Tokens Now