Can anyone decode a JWT without the secret key?

Yes. A JWT payload is Base64-encoded, not encrypted. Anyone with the token can decode the header and payload to read the claims (user ID, email, roles, expiration). The secret key is only needed to verify the signature — confirming the token was issued by a trusted server and has not been tampered with. Decoding and verifying are two separate operations.

Is it a security risk that JWTs can be decoded without the secret?

Not by design. JWTs are meant to be readable — they carry claims that the client needs (user ID, permissions, expiration time). The security comes from the signature, not encryption. The signature ensures that nobody can modify the payload without detection. If you need the payload contents to be hidden, you should use JWE (JSON Web Encryption), not standard JWT.

What is the difference between decoding and verifying a JWT?

Decoding reads the token contents by Base64-decoding the header and payload. Anyone can do this. Verifying checks the signature to confirm the token was created by a trusted issuer and has not been modified. Only the party with the secret key (HMAC) or public key (RSA/ECDSA) can verify. Decoding tells you what the token says. Verifying tells you if you should trust it.

What information is visible in a decoded JWT?

Everything in the header and payload is visible. Common visible claims: sub (subject/user ID), email, name, roles or permissions, iat (issued at timestamp), exp (expiration timestamp), iss (issuer), aud (audience). The only part that cannot be read meaningfully is the signature — it is a cryptographic hash that only makes sense to the verifying party.

Should I store sensitive data in a JWT payload?

No. Never put passwords, credit card numbers, social security numbers, or other sensitive data in a JWT payload. The payload is Base64-encoded, not encrypted — anyone with the token can read it. JWTs are designed for identity claims (who is this user, what can they do, when does this expire), not for transporting secrets.

How do I decode a JWT in code without a library?

A JWT has three parts separated by dots: header.payload.signature. To decode: (1) split by dots, (2) take the first two parts, (3) Base64url-decode each, (4) parse as JSON. In JavaScript: JSON.parse(atob(token.split(".")[1])). In Python: json.loads(base64.urlsafe_b64decode(token.split(".")[1] + "==")). No secret key or library needed.

What is Base64url encoding in JWTs?

Base64url is a URL-safe variant of Base64 encoding. It replaces + with - and / with _, and removes padding (= signs). JWTs use Base64url (not standard Base64) so the token can be safely included in URLs, headers, and query parameters without special encoding. When decoding manually, you may need to add back the padding characters (= or ==) depending on your Base64 decoder.

Can I modify a JWT without the secret key?

You can modify the payload, but the signature will no longer be valid. Any server that verifies the signature will reject the modified token. The signature is a cryptographic hash of the header + payload using the secret key. Changing even one character in the payload changes the expected signature. Without the secret key, you cannot generate a valid signature for the modified payload.

JWT Decode Without Secret Key — How Anyone Can Read Your Token (and Why That Is Fine)

Last updated: April 20268 min readDeveloper Tools

A JWT (JSON Web Token) can be decoded by anyone without the secret key. The payload is not encrypted — it is Base64-encoded, which means anyone with the token can read the header and payload contents. The secret key is only needed to verify the signature, not to read the token.

This surprises many developers the first time they learn it. You paste a JWT into a decoder and see the user ID, email, roles, and expiration — without entering any key or password. Here is exactly how it works and why this design is intentional.

Anatomy of a JWT

A JWT is three Base64url-encoded strings separated by dots:

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

Part	Contains	Can Decode Without Key?	Example Content
Header (part 1)	Algorithm and token type	\u2713 Yes — Base64url decode it	{"alg":"HS256","typ":"JWT"}
Payload (part 2)	Claims (user data, expiration, etc.)	\u2713 Yes — Base64url decode it	{"sub":"1234567890","name":"John","exp":1717027200}
Signature (part 3)	Cryptographic hash	\u2717 Cannot meaningfully read — it is a hash	HMACSHA256(header + "." + payload, secret)

Why JWTs Are Readable by Design

JWTs are not designed to hide information. They are designed to prove information. The distinction matters:

The payload is a message: "This is user #1234, they have admin role, and this token expires in 1 hour." The client (browser, mobile app) needs to read this information to function — to show the username, check if the session has expired, or decide which UI elements to display.
The signature is a seal: It proves the message came from the trusted server and has not been tampered with. Without the secret key, you cannot create a valid signature — so you cannot forge or modify the token.
The design is intentional: If the payload were encrypted, the client would need the decryption key, which would need to be stored client-side (insecure), or the client would need to call the server to decrypt every token (defeating the purpose of JWTs being self-contained).

What Stays Protected

Protected By Signature	Not Protected
Token integrity — any modification invalidates the signature	Payload contents — anyone with the token can read the claims
Issuer authenticity — only the server with the key can create valid tokens	Replay attacks — a stolen valid token can be reused until it expires
Claim values — sub, exp, roles cannot be changed without detection	Token theft — JWTs should be transmitted over HTTPS and stored securely

How to Decode Without a Key (Step by Step)

Decoding a JWT without a library or secret key takes 3 steps:

Split the token by dots: The three parts (header, payload, signature) are separated by periods.
Base64url-decode the first two parts: Convert from Base64url encoding to plain text. Note: Base64url uses - instead of + and _ instead of /. Some decoders need you to replace these characters and add padding (== at the end) before decoding.
Parse the JSON: Each decoded part is a JSON object. Parse it to read the claims.

In practice, just paste the token into a JWT decoder tool and see the header, payload, and signature status instantly. No key needed for reading — the tool handles the Base64url decoding automatically.

When You DO Need the Secret Key

Verifying on the server: Before trusting a JWT in your backend, verify the signature. This requires the secret key (HMAC) or public key (RSA/ECDSA). Never trust a JWT without verification on the server side.
Creating new tokens: Generating a JWT requires signing with the secret key. Only your auth server should have this key.
Detecting tampering: If someone modifies the payload (e.g., changing role from "user" to "admin"), signature verification will fail — but only if you actually verify it.

Common Misconceptions

"JWTs are encrypted" — No. Standard JWTs (JWS — JSON Web Signature) are signed, not encrypted. JWE (JSON Web Encryption) exists but is rarely used. Most JWTs in the wild are signed only.
"I need the secret to see the payload" — No. The secret is for signature verification, not decryption. The payload is readable by anyone.
"If someone decodes my JWT, my app is compromised" — Not necessarily. Decoding reveals the claims, but without the secret key, they cannot modify the token or create new ones. The risk is in what claims you put in the payload — sensitive data should not be there.
"Base64 encoding is a form of encryption" — No. Base64 is an encoding scheme (like converting binary to text), not encryption. It provides zero security. Anyone can decode Base64 in milliseconds.

What You Should Never Put in a JWT Payload

Passwords or password hashes
Credit card numbers or financial data
Social security numbers or government IDs
Full addresses or phone numbers
API secrets or private keys
Any data that would cause harm if read by an unauthorized party

Safe to include: User ID, username, email (if non-sensitive), roles/permissions, token expiration, issuer, audience. These are identity claims — they answer "who is this user and what can they do?" without revealing secrets.

Pair These Tools Together

JWT Decoder — decode any JWT token instantly, see header, payload, and expiration
Base64 Encoder Decoder — manually decode Base64url strings from JWT parts
JSON Formatter — format the decoded JWT payload JSON for readability
Hash Generator — understand the cryptographic hashes used in JWT signatures
URL Encoder Decoder — encode JWTs for safe URL transmission
Diff Checker — compare two JWT payloads side by side
Timestamp Converter — convert JWT exp and iat Unix timestamps to readable dates

Honest Limitations

This article covers standard JWTs (JWS). JWE (JSON Web Encryption) tokens ARE encrypted and cannot be decoded without the decryption key — but JWE is uncommon. If you encounter a JWT that cannot be decoded, it may be a JWE token. Also, while reading a JWT is harmless, a stolen JWT can be used to impersonate the user until it expires. Always transmit JWTs over HTTPS and set reasonable expiration times.

Decode any JWT token right now — paste it and see the header, payload, and expiration instantly.

Open JWT Decoder

JWT Decode Without Secret Key — How Anyone Can Read Your Token (and Why That Is Fine)

Anatomy of a JWT

Why JWTs Are Readable by Design

What Stays Protected

How to Decode Without a Key (Step by Step)

When You DO Need the Secret Key

Common Misconceptions

What You Should Never Put in a JWT Payload

Pair These Tools Together

Honest Limitations

Related Posts

Free JWT Decoder

JWT Decode vs Verify

Best JWT Decoder Tools (2026)

Free JWT Viewer No Signup