レッスン 3
Decode vs Verify 日本語ガイド
日本語の jwt decode vs verify ガイド: Why reading JWT JSON is not the same as trusting the token.
このコンテンツはまだ日本語で用意されていません。ローカライズが完了するまで English 版を表示しています。
Decoding a JWT means converting Base64URL text back into JSON. Verifying a JWT means proving that the token is acceptable for your application.
Decode answers readability questions
Decode helps answer:
- What algorithm does the header claim?
- Which user or service is named in
sub? - Is
expin the past? - Which scopes or roles are present?
This is useful for debugging, but it is not a security decision.
Verify answers trust questions
Verification checks:
- The signature matches a trusted secret or public key.
- The algorithm is one your application allows.
issis a trusted issuer.audmatches your service.exp,nbf, and clock skew rules are satisfied.
If any of these checks are missing, a token may look valid after decoding but still be unsafe.
The rule of thumb
Use a decoder to inspect. Use your authentication library, identity provider, or backend middleware to verify.