TemperTemper

Parse JWT Payload

Extract and decode the payload from a JWT token without verification. Useful for reading claims like user ID, expiration time, and roles from tokens.

Code

Utilities
const base64Url = token.split('.')[1];
const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
const payload = decodeURIComponent(atob(base64).split('').map(c =>
  '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)
).join(''));
return JSON.parse(payload);

Parameters

JWT token string.

Browser·fetch() may be limited by CORS

What is a JWT?

A JSON Web Token (JWT) has three parts separated by dots:

header.payload.signature
PartPurposeEncoded
HeaderAlgorithm & token typeBase64URL
PayloadClaims (user data, expiry)Base64URL
SignatureVerification hashBase64URL

This snippet decodes the payload (middle part) to read the claims.

Common JWT Claims

{
  "sub": "1234567890",    // Subject (user ID)
  "name": "John Doe",     // Custom claim
  "iat": 1516239022,      // Issued at (Unix timestamp)
  "exp": 1516242622,      // Expiration time
  "aud": "my-app",        // Audience
  "iss": "auth-server"    // Issuer
}

Security Warning

This does NOT verify the token! Anyone can create a JWT with any payload. Always verify the signature server-side before trusting the claims.

When to use this

  • Display user info in UI (name, avatar)
  • Check if token is expired before making API calls
  • Debug authentication issues
  • Read non-sensitive metadata

When NOT to use this

  • Authorization decisions (verify signature first!)
  • Trusting user identity server-side
  • Any security-critical logic

More JavaScript Snippets

Constant Time Compare

Compare two strings in constant time to prevent timing attacks. Unlike === which returns early on first mismatch, this compares all characters regardless of where differences occur.

FNV-1a Hash

Fast non-cryptographic hash function.

Generate Password

Generate a cryptographically secure random password with configurable options.

Hash SHA-256

Generate a SHA-256 hash of a string. SHA-256 produces a fixed 64-character hexadecimal output regardless of input size.

Simple String Hash

Generate a simple numeric hash from a string.

XSS Attack Prevention

Escape HTML entities to prevent Cross-Site Scripting attacks.