How to Check JWT Contents | How Tampering is Detected
Anyone can decode JWT contents (it is not encrypted). However, because of the signature, it cannot be forged or tampered with.
The JWT Structure
A JWT consists of Header.Payload.Signature — three segments joined by dots (.).
- Header — Details the algorithm (like HS256).
- Payload — Contains actual data, like user IDs and expiration dates.
- Signature — Ensures the data has not been modified.
The Header and Payload are simply Base64Url encoded, so anyone can easily decode and read them.
| Encryption | Encoding |
|---|---|
| Irreversible without the key | Reversible by anyone |
| Purpose: Hide the contents | Purpose: Change format |
Never include a password or credit card number inside a JWT payload. Only include uncritical information such as user scopes or IDs.
Decoding and Inspecting Contents
For example, take this JWT:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IlRhcm8ifQ.xxxxxIf we easily Base64-decode the second part (payload), we get:
{
"sub": "1234",
"name": "Taro"
}When debugging issues like “authentication fails” or “permissions aren’t applying”, always check the interior of the payload first.
How Tampering is Prevented
“What happens if I edit the payload?” — The server’s signature check will block it.
When issuing a JWT, the server generates a signature mathematically from the Header and Payload combined with an internal secret key. Mutating even a single character in the payload alters its expected calculation, so it won’t match the signature provided.
Result: A 401 Unauthorized error is thrown.
Quick Tool Check
🧪 JWT Decode Tool
Paste a token to effortlessly view its Header and Payload details.