How to Decode JWT Safely (Without Trusting Payload)
JWT decoding is useful for debugging auth flows, but decode is not the same as verification. Here is a safe workflow.
1) Decode only for inspection
Use a local decoder to inspect the first two segments (header and payload), then verify signature in your backend.
2) Check key claims
- exp: token expiry time
- iss: expected issuer
- aud: intended audience
- sub: subject/user identifier
3) Never authorize from decoded payload alone
Decoded data can be forged if signature is not validated. Always run server-side verification before granting access.
Common mistakes
- Treating any decoded token as valid.
- Ignoring clock skew for
exp/nbf. - Not validating issuer/audience.