SoftwareTestPilot
API TestingPublished: 10 min read

How to Decode and Verify JWT Tokens (2026 QA Guide)

Decode, verify, and debug JWT tokens the safe way. Covers HS256, RS256, ES256, JWKS lookup, expiry checks, and how to test JWT auth in Postman, Playwright, and Rest Assured.

Avinash Kamble
Founder & QA Engineer at SoftwareTestPilot
Reviewed by Priyanka G.
Share:XLinkedInWhatsApp

2026-07-17 · By Avinash Kamble, reviewed by Priyanka G.

JWTs (JSON Web Tokens) power almost every modern API auth flow — OAuth 2.0, OpenID Connect, service-to-service auth. As a QA engineer you will decode, tamper with, expire, and forge them daily. This guide shows the right way to do all four without leaking secrets or trusting the wrong signature.

Anatomy of a JWT

A JWT is three base64url-encoded parts joined by dots: header.payload.signature. The header declares the algorithm (HS256, RS256, ES256…), the payload carries claims (sub, exp, iat, aud, custom fields), and the signature is what proves the token was issued by someone holding the key.

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MzUwMDAwMDB9.abc123...

Decoding is not verifying — the #1 mistake

Any JWT can be decoded because base64url is not encryption. Anyone with the token can read the payload. Verifying is separate: it checks the signature against the issuer's key and confirms the claims (exp, nbf, iss, aud). A QA suite that only decodes is testing nothing about auth.

Verify HS256 in three lines

// Node / Playwright
import jwt from "jsonwebtoken";
const claims = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ["HS256"] });
expect(claims.sub).toBe(userId);

Always pin algorithms. If you omit it, an attacker can send alg: none or downgrade RS256 to HS256 and pass your public key as the HMAC secret.

Verify RS256 / ES256 via JWKS

For OAuth providers (Auth0, Okta, Cognito, Google) fetch the JWKS from /.well-known/jwks.json, pick the key whose kid matches the token header, then verify. Cache the JWKS for 10 minutes to avoid rate limits.

import { createRemoteJWKSet, jwtVerify } from "jose";
const jwks = createRemoteJWKSet(new URL(iss + "/.well-known/jwks.json"));
const { payload } = await jwtVerify(token, jwks, { issuer: iss, audience: aud });

Common expiry & clock-skew bugs

  • exp in seconds, not ms. Date.now()/1000 — a common off-by-1000 leaves tokens "always expired".
  • Clock skew. Allow ±30s (clockTolerance: 30) or CI flakes when the runner drifts.
  • nbf not-before. Tokens rejected for a few seconds after issuance if nbf > now.

Decode safely in one click

Pasting production tokens into jwt.io sends them over the wire. The free JWT Debugger runs 100% in your browser — no network calls — and adds a 15-check vulnerability audit (alg=none, weak HS secrets, jku/kid injection, sensitive-claim leakage, missing exp), live expiry countdown, and one-click export to Postman, Playwright, Rest Assured, cURL, Axios, and Fetch.

Frequently asked questions

1.Is it safe to paste a real JWT into an online debugger?
Only if the tool processes it entirely in the browser with no network calls. Our JWT Debugger is client-side; the token never leaves your machine.
2.What's the difference between JWT and OAuth?
OAuth 2.0 is the authorization framework; JWT is one of the token formats OAuth can issue. You can have OAuth without JWTs (opaque tokens) and JWTs without OAuth.
3.Can I verify a JWT without the secret?
For HS* you need the shared secret. For RS*/ES* you need the issuer's public key (usually from JWKS). Without either you can only decode, not verify.
4.How long should a JWT live?
Access tokens: 5–15 minutes. Refresh tokens: hours to days, stored httpOnly. Never issue long-lived access tokens — you cannot revoke a JWT once signed.
Keep going

Practice these questions

Rehearse REST, Postman, REST Assured and contract-testing questions with worked examples.

Found this useful?
Share:XLinkedInWhatsApp

Was this article helpful?

Cluster · API Testing

More from REST API Testing

REST fundamentals — verbs, status codes, contracts.

Pillar guide · 30 articles
More in this cluster
From the API Testing pillar

Keep building your QA edge

Practice these questions live

Rehearse with an AI QA interviewer that scores your answers in real time.

Start a Free AI Mock Interview →

Continue reading

Join the QA Community

Connect with fellow testers, share job leads, and get career advice.

Premium QA Resources

Stop Reinventing the Wheel. Upgrade Your QA Arsenal.

Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.

  • Ready-to-use testing strategy templates
  • Advanced API & UI automation guides
  • ⏱️ Save 10+ hours a week on test planning
4.9/5 rating
Explore All Products

⭐⭐⭐⭐⭐ Trusted by 1,000+ Software Test Pilots • Instant Access