From here , here and here .
Today I realized that the JWT token is completely plain text which can be decoded very easily. You can use some online tools(such as this and this ), or the following Python script.
dejwt.py 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 from base64 import urlsafe_b64decode import json import sys def decode_jwt(token: str) -> dict: chunks = token.split('.' ) header = str(urlsafe_b64decode(chunks[0] + '==' ), encoding='utf-8' ) payload = str(urlsafe_b64decode(chunks[1] + '==' ), encoding='utf-8' ) signature = chunks[2] result = { 'header' : json.loads(header), 'payload' : json.loads(payload), 'signature' : signature } return result if __name__ == '__main__' : if len(sys.argv) < 2: print ('Usage: python dejwt.py <jwt_token>' ) exit (0) print (json.dumps(decode_jwt(sys.argv[1]), indent=4))
And the running sample:
1 2 3 4 5 6 7 8 9 10 11 12 13 ~> python dejwt.py 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' { "header" : { "alg" : "HS256" , "typ" : "JWT" }, "payload" : { "sub" : "1234567890" , "name" : "John Doe" , "iat" : 1516239022 }, "signature" : "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }
The structure of JWT token is well explained by the script above. More details can be found in the official document here and here .