JwtDecode()

Reads the header and payload of a JSON Web Token (JWT) without verifying the signature.

Useful for inspecting tokens during debugging or for reading the key ID before verification.

WARNING: never trust decoded claims without calling JwtVerify() first.

Requires Extension: Crypto Extension


	JwtDecode( token=string );

Returns: Struct

Argument	Description
token _{string, required}	edit JWT string to decode.

Usage Notes

edit

JwtDecode does NOT verify the signature. It reads the header and payload without checking whether the token was tampered with. Never trust the claims from JwtDecode alone — always use JwtVerify() before acting on token contents.

Valid uses for JwtDecode:

Inspecting the kid (key ID) header to look up the correct verification key
Debugging token contents during development
Checking the alg header before choosing a verification strategy

Examples

edit

// JwtDecode reads the header and payload of a JWT without verifying the signature
// Useful for inspecting tokens before verification, or for debugging
secret = "my-super-secret-key-that-is-at-least-256-bits-long";
token = JwtSign(
	claims = { sub: "user123", role: "admin" },
	key = secret,
	algorithm = "HS256",
	kid = "my-key-id"
);

parts = JwtDecode( token );
// parts.header  - struct with alg, typ, kid etc.
// parts.payload - struct with all claims (sub, iat, exp, custom claims etc.)
// parts.signature - the raw signature string

// Check which algorithm was used
parts.header.alg; // "HS256"

// Read claims without needing the key
parts.payload.sub; // "user123"
parts.payload.role; // "admin"

// Inspect key ID to look up the right verification key
parts.header.kid; // "my-key-id"

// Works with any algorithm - RSA, EC, EdDSA
keyPair = GenerateKeyPair( "RSA-2048" );
token = JwtSign( claims = { sub: "rsauser" }, key = keyPair.private, algorithm = "RS256" );
parts = JwtDecode( token );
parts.header.alg; // "RS256"

JwtDecode()

Usage Notes

Examples

See also