Decode a JWT Token With Base64 — Read the Payload Without a Library

If you've ever worked with a modern authentication system, you've dealt with JWT tokens. They look like random garbage but they actually contain readable JSON data. You can decode the payload yourself in about 30 seconds.

JWT structure

A JWT is three Base64url-encoded strings joined by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

• Part 1 (header): Algorithm and token type
• Part 2 (payload): The claims. Your user ID, email, roles, expiry time
• Part 3 (signature): HMAC or RSA signature used to verify the token hasn't been tampered with

Decoding the payload manually

Take the middle part (between the two dots) and Base64-decode it. The "url" variant of Base64 uses - and _ instead of + and /, and omits the padding =. You need to account for that:

function decodeJwtPayload(token) {
  const payload = token.split(".")[1];
  // Fix Base64url to standard Base64
  const base64 = payload
    .replace(/-/g, "+")
    .replace(/_/g, "/")
    .padEnd(payload.length + (4 - payload.length % 4) % 4, "=");
  return JSON.parse(atob(base64));
}

const payload = decodeJwtPayload(token);
// { sub: "1234567890", name: "Alice", iat: 1516239022 }

What the decoded payload contains

Common JWT claims you'll see:

• sub — Subject (usually the user ID)
• iat — Issued at (Unix timestamp)
• exp — Expiry (Unix timestamp)
• aud — Audience (who the token is intended for)
• roles or scope — Custom claims your app adds

Important: decoding is not verification

Anyone can decode a JWT payload. The claims are not encrypted. Don't put sensitive data in a JWT payload that you wouldn't want a user to read. The signature in part three prevents tampering, but doesn't prevent reading. If you need to keep data private, use encrypted JWTs (JWE) instead of signed JWTs (JWS).

To quickly inspect any JWT, paste it into our Base64 Decoder after extracting the middle section.