BYTETOOLS

JWT Decoding Tips and the Security Mistakes to Avoid

The most important JWT rule is that decoding a token is not the same as trusting it β€” a decoder shows you the claims, but only a server that verifies the signature should ever act on them. JWTs are easy to misread and easy to misuse. These best practices help you debug auth flows quickly while sidestepping the mistakes that cause real security holes.

Never confuse decoding with verifying

A signed JWT (JWS) is Base64url-encoded, not encrypted. Anyone can decode the header and payload without a key β€” that is exactly what a client-side decoder does. Verification is a separate step that checks the signature against the issuer's secret or public key, and it must happen on the server. The classic mistake is code that decodes a token, reads role: admin from the payload, and grants access β€” without ever verifying the signature. An attacker can forge any payload they like. Decode to inspect; verify to trust.

Read iat, exp and nbf correctly

These three registered claims are Unix timestamps in seconds, not milliseconds β€” a frequent off-by-1000 bug when developers compare them to JavaScript's Date.now(). A good decoder converts them to readable dates for you and flags whether the token is expired. Keep their meanings straight:

ClaimMeaningCommon mistake
iatIssued atTreating it as expiry
expExpires atComparing in milliseconds
nbfNot valid beforeIgnoring it, so a token "works" too early

Mind the alg header

The alg field declares the signature algorithm β€” HS256, RS256 and so on. Two historic vulnerabilities live here. First, the none algorithm: a server that accepts alg: none will trust an unsigned token, an instant auth bypass. Second, RS256-to-HS256 confusion, where an attacker signs a token with the public key as an HMAC secret. The defense is the same for both: your server must whitelist the exact algorithms it expects and reject everything else. When debugging, always check what alg a token actually declares β€” a decoder makes this a glance.

Keep secrets out of the payload

Because the payload is readable by anyone, never put passwords, API keys or personal secrets in it. A JWT protects integrity, not confidentiality. If you truly need the contents hidden, that is what encrypted JWE tokens are for. A related habit: keep payloads lean. Every claim travels on every request in the Authorization header, so bloated tokens waste bandwidth and can hit header size limits.

Try the JWT Decoder β€” free and 100% in your browser.

Frequently asked questions

If a token decodes successfully, is it valid?

No. Successful decoding only means the token is well-formed Base64url. It says nothing about whether the signature is genuine or the token is expired β€” a forged token decodes just as cleanly as a real one. Validity requires server-side signature verification.

Why does my token "work" but get rejected by the API?

Often the exp has passed, or the nbf has not yet been reached, or the alg does not match what the server accepts. Decode the token and check the expiry badge and algorithm before assuming the server is at fault.

Is it dangerous to paste a real token into an online decoder?

It depends on the tool. A live JWT is a bearer credential, so a decoder that sends it to a server is a risk. A client-side decoder that keeps the token in your browser is safe for production tokens.

Can I trust custom claims like a role or plan?

Only after your server verifies the signature. Custom claims are as forgeable as any other part of the payload until the signature confirms the token really came from your issuer.

Related free tools

Built by ByteVancer

ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS and custom software. If you are building authentication into a product, explore how ByteVancer can architect secure auth and APIs for you.