Decoding and Validating JWT

JWT Uncovered

JWT stands for JSON Web Tokens, which are compact, URL-safe structures used for transferring claims between two parties. The claims within a JWT are encoded as a JSON object. This object serves as the payload of a JSON Web Signature (JWS) structure, allowing the claims to be digitally signed or protected with a Message Authentication Code (MAC).

A JWT typically has three components: Header, Payload, and Signature, separated by dots (.). This results in a structure that looks something like this:


Decoding JWT

JWTs are designed to transmit information in a compact and self-contained way. However, when we need to access the data within, decoding is necessary.

Decoding JWT involves splitting the token by the dot (.) and then using Base64 decoding to get the separated parts. This will provide the JSON data for the header and payload.

function decodeJwt(token) {
  const base64Url = token.split('.')[1];
  const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
  const jsonPayload = decodeURIComponent(atob(base64).split('').map(function(c) {
    return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);

  return JSON.parse(jsonPayload);

Validating JWT Signature

Decoding JWT provides the data within the token, but how can we trust it? Validating the signature helps confirm the data's integrity. The signature is created using the header, payload, and a secret key.

const jwt = require('jsonwebtoken');

function validateJwt(token, secretKey) {
  try {
    const payload = jwt.verify(token, secretKey);
    return payload;
  } catch (err) {
    return false;


Understanding JWTs and knowing how to decode and validate them are vital skills in ensuring secure data exchange and authentication. While these processes might seem complex at first, many libraries simplify these tasks.

Working with JWTs goes beyond just decoding. Validating their signatures is a crucial step in maintaining data integrity and security. Stay sharp, and happy coding!

Recommended Reading