How to Read a JWT Payload (and Why Decoding Is Not Verifying)
2026-05-04
Inspect JWT structure for debugging: header, payload, and why only your server should trust verified tokens.
A JWT has three Base64url parts: header, payload, and signature, separated by dots.
Decoding the payload shows claims like sub, exp, and rolesβuseful for local debugging and support.
Anyone can forge a payload; trust comes only after your backend verifies the signature with the correct secret or public key.
Never treat a decoded JWT in the browser as proof of identity unless your API has already validated it.