Lesson 3

Decode vs Verify

Why reading JWT JSON is not the same as trusting the token.

Decoding a JWT means converting Base64URL text back into JSON. Verifying a JWT means proving that the token is acceptable for your application.

Decode answers readability questions

Decode helps answer:

  • What algorithm does the header claim?
  • Which user or service is named in sub?
  • Is exp in the past?
  • Which scopes or roles are present?

This is useful for debugging, but it is not a security decision.

Verify answers trust questions

Verification checks:

  • The signature matches a trusted secret or public key.
  • The algorithm is one your application allows.
  • iss is a trusted issuer.
  • aud matches your service.
  • exp, nbf, and clock skew rules are satisfied.

If any of these checks are missing, a token may look valid after decoding but still be unsafe.

The rule of thumb

Use a decoder to inspect. Use your authentication library, identity provider, or backend middleware to verify.

When you want to practice, use the related DevCove tool — optional, not part of this lesson.

Open related tool

Back to course overview