JWT Decoding Tips and the Security Mistakes to Avoid
The most important JWT rule is that decoding a token is not the same as trusting it β a decoder shows you the claims, but only a server that verifies the signature should ever act on them. JWTs are easy to misread and easy to misuse. These best practices help you debug auth flows quickly while sidestepping the mistakes that cause real security holes.
Never confuse decoding with verifying
A signed JWT (JWS) is Base64url-encoded, not encrypted. Anyone can decode the header and payload without a key β that is exactly what a client-side decoder does. Verification is a separate step that checks the signature against the issuer's secret or public key, and it must happen on the server. The classic mistake is code that decodes a token, reads role: admin from the payload, and grants access β without ever verifying the signature. An attacker can forge any payload they like. Decode to inspect; verify to trust.
Read iat, exp and nbf correctly
These three registered claims are Unix timestamps in seconds, not milliseconds β a frequent off-by-1000 bug when developers compare them to JavaScript's Date.now(). A good decoder converts them to readable dates for you and flags whether the token is expired. Keep their meanings straight:
| Claim | Meaning | Common mistake |
|---|---|---|
| iat | Issued at | Treating it as expiry |
| exp | Expires at | Comparing in milliseconds |
| nbf | Not valid before | Ignoring it, so a token "works" too early |
Mind the alg header
The alg field declares the signature algorithm β HS256, RS256 and so on. Two historic vulnerabilities live here. First, the none algorithm: a server that accepts alg: none will trust an unsigned token, an instant auth bypass. Second, RS256-to-HS256 confusion, where an attacker signs a token with the public key as an HMAC secret. The defense is the same for both: your server must whitelist the exact algorithms it expects and reject everything else. When debugging, always check what alg a token actually declares β a decoder makes this a glance.
Keep secrets out of the payload
Because the payload is readable by anyone, never put passwords, API keys or personal secrets in it. A JWT protects integrity, not confidentiality. If you truly need the contents hidden, that is what encrypted JWE tokens are for. A related habit: keep payloads lean. Every claim travels on every request in the Authorization header, so bloated tokens waste bandwidth and can hit header size limits.
Try the JWT Decoder β free and 100% in your browser.
Frequently asked questions
If a token decodes successfully, is it valid?
No. Successful decoding only means the token is well-formed Base64url. It says nothing about whether the signature is genuine or the token is expired β a forged token decodes just as cleanly as a real one. Validity requires server-side signature verification.
Why does my token "work" but get rejected by the API?
Often the exp has passed, or the nbf has not yet been reached, or the alg does not match what the server accepts. Decode the token and check the expiry badge and algorithm before assuming the server is at fault.
Is it dangerous to paste a real token into an online decoder?
It depends on the tool. A live JWT is a bearer credential, so a decoder that sends it to a server is a risk. A client-side decoder that keeps the token in your browser is safe for production tokens.
Can I trust custom claims like a role or plan?
Only after your server verifies the signature. Custom claims are as forgeable as any other part of the payload until the signature confirms the token really came from your issuer.
Related free tools
- Base64 Decoder β decode individual token segments by hand.
- JSON Formatter β tidy a decoded payload for review.
- Unix Timestamp Converter β turn iat/exp into readable dates.
- SHA-256 Hash Generator β for hashing and integrity checks.
Built by ByteVancer
ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS and custom software. If you are building authentication into a product, explore how ByteVancer can architect secure auth and APIs for you.
Recommended reading
How to Decode a JWT and Inspect Its Claims Safely
Decode any JSON Web Token in your browser to read its header, payload and expiry. Learn what iat, exp and alg mean, and why signature checks stay server-side.
XOR Cipher Use Cases: CTFs, Learning, and Puzzles
Real use cases for the XOR cipher, from CTF challenges and teaching bitwise logic to lightweight obfuscation, with concrete worked examples.
XOR Cipher Tips: Keys, Security, and Common Mistakes
Pro tips and common mistakes for the repeating-key XOR cipher: key length, reuse pitfalls, format choices, and when to switch to real encryption.
How to Use an XOR Cipher to Encode and Decode Text
A step-by-step guide to encoding and decoding text with a repeating-key XOR cipher, output as hex or Base64, privately in your browser.