# JwtDecode()

Reads the header and payload of a JSON Web Token (JWT) without verifying the signature.

Useful for inspecting tokens during debugging or for reading the key ID before verification.

WARNING: never trust decoded claims without calling JwtVerify() first.

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
JwtDecode( token=string );
```

**Returns:** struct

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| token | string | Yes | JWT string to decode. |  |

# Usage Notes

**JwtDecode does NOT verify the signature.** It reads the header and payload without checking whether the token was tampered with. Never trust the claims from JwtDecode alone — always use [JwtVerify()](jwtverify.md) before acting on token contents.

Valid uses for JwtDecode:

- Inspecting the `kid` (key ID) header to look up the correct verification key
- Debugging token contents during development
- Checking the `alg` header before choosing a verification strategy

# Examples

```cfml
// JwtDecode reads the header and payload of a JWT without verifying the signature
// Useful for inspecting tokens before verification, or for debugging
secret = "my-super-secret-key-that-is-at-least-256-bits-long";
token = JwtSign(
	claims = { sub: "user123", role: "admin" },
	key = secret,
	algorithm = "HS256",
	kid = "my-key-id"
);

parts = JwtDecode( token );
// parts.header  - struct with alg, typ, kid etc.
// parts.payload - struct with all claims (sub, iat, exp, custom claims etc.)
// parts.signature - the raw signature string

// Check which algorithm was used
parts.header.alg; // "HS256"

// Read claims without needing the key
parts.payload.sub; // "user123"
parts.payload.role; // "admin"

// Inspect key ID to look up the right verification key
parts.header.kid; // "my-key-id"

// Works with any algorithm - RSA, EC, EdDSA
keyPair = GenerateKeyPair( "RSA-2048" );
token = JwtSign( claims = { sub: "rsauser" }, key = keyPair.private, algorithm = "RS256" );
parts = JwtDecode( token );
parts.header.alg; // "RS256"
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[JwtSign()](jwtsign.md), [JwtVerify()](jwtverify.md)