Cyberway

2026-07-04

How to Decode a JWT in Node.js

Decode JWT header and payload in Node.js safely, and when to verify signatures instead of only decoding.

Decoding a JWT in Node.js is straightforward — but decoding alone does not authenticate a request. Use decode for inspection; use verify for trust.

Split and Base64URL-decode

A JWT is header.payload.signature. In Node you can split on ., convert Base64URL to a buffer, and JSON.parse the header and payload. The signature remains opaque without key material.

Prefer a maintained library for verify

For production verification, use a maintained library such as jose rather than hand-rolling crypto. Specify allowed algorithms explicitly and reject none.

Inspect visually while you develop

When you are unsure what a token contains, paste it into the Cyberway JWT Decoder — it runs in the browser and never sends the token to a server. Generate fixtures with the JWT Generator.

Continue with the Complete JWT Guide for claims, algorithms, and security pitfalls.

Try the Cyberway JWT Decoder or JWT Generator — both run entirely in your browser.