DEV Community

Cover image for How to decode a JWT
Brian Morrison II
Brian Morrison II

Posted on

How to decode a JWT

JWTs are used a lot in authentication, but have you ever wondered how libraries extract information about the user from this massive blob of text?

Here is what a raw JWT looks like:

A JWT

Oftentimes these are stored in a cookie or in the browser’s local storage to be sent with HTTP requests.

JWTs have three parts

JWTs are made up of three separate parts, each separated by a period.

The header contains info about the JWT and the encryption algorithm used to sign it. The payload (or claims) section contains encoded information such as who the JWT was created for, who created it, when it expires, etc. And the signature is a cryptographically signed version of the header and claims to prevent tampering.

Here is what that same JWT looks like, split on the periods:

A JWT split

Decoding the payload

While every part of the JWT is important, the data that gets returned from extraction and verification libraries comes from the payload.

The payload is simply a JSON object that’s been base64 encoded. Anything encoded with base64 can be decoded as well since it’s NOT encryption. Reversing the encoding returns the same data that was passed in!

The claims of the JWT decoded into a JSON object

🤗 If you are interested in more content like this and want to support me, consider joining my newsletter!

Top comments (0)