2026-07-04
How to Decode a JWT in Node.js
Decode JWT header and payload in Node.js safely, and when to verify signatures instead of only decoding.
Decoding a JWT in Node.js is straightforward — but decoding alone does not authenticate a request. Use decode for inspection; use verify for trust.
Split and Base64URL-decode
A JWT is header.payload.signature. In Node you can split on ., convert Base64URL to a buffer, and JSON.parse the header and payload. The signature remains opaque without key material.
Prefer a maintained library for verify
For production verification, use a maintained library such as jose rather than hand-rolling crypto. Specify allowed algorithms explicitly and reject none.
Inspect visually while you develop
When you are unsure what a token contains, paste it into the Cyberway JWT Decoder — it runs in the browser and never sends the token to a server. Generate fixtures with the JWT Generator.
Continue with the Complete JWT Guide for claims, algorithms, and security pitfalls.
Try the Cyberway JWT Decoder or JWT Generator — both run entirely in your browser.