How to Decode JWT Tokens in JavaScript

Decode and verify JWT tokens in JavaScript and Node.js with jsonwebtoken, jose, and Web Crypto. Examples and security notes.

· JWTValidator.org

Quick Answer

To How to Decode JWT Tokens in JavaScript, paste your token into our JWT Decoder, inspect the header and payload claims, then verify the signature with the JWT Validator. All processing runs locally in your browser.

Quick Start

import jwt from 'jsonwebtoken';

// Verify (recommended)
const payload = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256'],
  issuer: 'https://auth.example.com',
  audience: 'my-api',
});

// Decode only (debugging — NOT for auth)
const decoded = jwt.decode(token, { complete: true });

Manual Decode (Browser)

function decodePart(part) {
  const padded = part.replace(/-/g, '+').replace(/_/g, '/');
  return JSON.parse(atob(padded));
}
const [headerB64, payloadB64] = token.split('.');
const header = decodePart(headerB64);
const payload = decodePart(payloadB64);

Using jose (Modern)

import { jwtVerify } from 'jose';
const secret = new TextEncoder().encode(process.env.JWT_SECRET);
const { payload } = await jwtVerify(token, secret);

Security Notes

Never use decode-only paths for authorization. Always verify signature and validate exp, iss, aud. Test tokens with our JWT Decoder and JWT Validator.

Learn More

See Node.js JWT Decode and TypeScript Verify examples.

Understanding How to Decode JWT Tokens in JavaScript in Production

Developers search for How to Decode JWT Tokens in JavaScript when building API authentication with JSON Web Tokens. JWTs are used by OAuth 2.0, OpenID Connect, Auth0, Firebase, AWS Cognito, and Keycloak. Always validate exp, iss, and aud server-side — decoding alone proves nothing about authenticity.

JWT Structure Recap

Every JWT has three dot-separated segments: header (algorithm), payload (claims), signature (proof). Use JWT Decoder to inspect and JWT Validator to verify before trusting any claim value in production code.

Common Pitfalls

  • Algorithm confusion (none attack) — whitelist allowed algorithms
  • Secrets in the payload — payload is only Base64-encoded, not encrypted
  • Ignoring clock skew on exp and nbf
  • Weak HMAC secrets — use 256-bit random keys
  • Skipping signature verification — always call verify(), not decode()
  • Storing tokens in localStorage — XSS can steal them

Further Reading

Browse related resources: JWT Decoder, JWT Validator, JWT Basics, JWT Authentication, JWT Errors, Algorithms, Glossary, and Learning Path.

Try It Now

JWT Decoder Open tool → JWT Validator Open tool →

FAQ

How do I decode JWT in browser JavaScript?

Split on dots, Base64URL-decode header and payload segments, JSON.parse each. Never skip signature verification in production.

Which library should I use?

jsonwebtoken for Node.js, jose for modern Node/browser, or Web Crypto API for zero-dependency verification.

Related Topics

Tools

Guides

Articles