DEV Community

Cover image for How to decode a JWT
Brian Morrison II
Brian Morrison II

Posted on

1

How to decode a JWT

JWTs are used a lot in authentication, but have you ever wondered how libraries extract information about the user from this massive blob of text?

Here is what a raw JWT looks like:

A JWT

Oftentimes these are stored in a cookie or in the browser’s local storage to be sent with HTTP requests.

JWTs have three parts

JWTs are made up of three separate parts, each separated by a period.

The header contains info about the JWT and the encryption algorithm used to sign it. The payload (or claims) section contains encoded information such as who the JWT was created for, who created it, when it expires, etc. And the signature is a cryptographically signed version of the header and claims to prevent tampering.

Here is what that same JWT looks like, split on the periods:

A JWT split

Decoding the payload

While every part of the JWT is important, the data that gets returned from extraction and verification libraries comes from the payload.

The payload is simply a JSON object that’s been base64 encoded. Anything encoded with base64 can be decoded as well since it’s NOT encryption. Reversing the encoding returns the same data that was passed in!

The claims of the JWT decoded into a JSON object

🤗 If you are interested in more content like this and want to support me, consider joining my newsletter!

Image of Datadog

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay