Lección 3

Decode vs Verify en español

Guía en español para jwt decode vs verify: Why reading JWT JSON is not the same as trusting the token.

Este contenido todavía no está disponible en español. Se muestra la versión en English mientras completamos la localización.

Decoding a JWT means converting Base64URL text back into JSON. Verifying a JWT means proving that the token is acceptable for your application.

Decode answers readability questions

Decode helps answer:

  • What algorithm does the header claim?
  • Which user or service is named in sub?
  • Is exp in the past?
  • Which scopes or roles are present?

This is useful for debugging, but it is not a security decision.

Verify answers trust questions

Verification checks:

  • The signature matches a trusted secret or public key.
  • The algorithm is one your application allows.
  • iss is a trusted issuer.
  • aud matches your service.
  • exp, nbf, and clock skew rules are satisfied.

If any of these checks are missing, a token may look valid after decoding but still be unsafe.

The rule of thumb

Use a decoder to inspect. Use your authentication library, identity provider, or backend middleware to verify.

Volver al resumen del curso