Auth0 Home Blog Docs

Does jwt "decode" functionality "verify" the token or only decode the token? If yes, what all does the decode function do?

jwt
authentication
jwt-validation
decoding
python

#1

Need to know more details for jwt.decode fucntionality in python


#2

Since you’re asking about jwt.decode, I assume you’re using node-jsonwebtoken. From the repository:

jwt.decode:

  • (Synchronous) Returns the decoded
    payload without verifying if the
    signature is valid. Warning: This
    will not verify whether the signature
    is valid. You should not use this for
    untrusted messages. You most likely
    want to use jwt.verify instead.

jwt.verify:

  • (Asynchronous) If a callback is
    supplied, function acts
    asynchronously. The callback is
    called with the decoded payload if
    the signature is valid and optional
    expiration, audience, or issuer are
    valid. If not, it will be called with
    the error.
  • (Synchronous) If a callback is not
    supplied, function acts
    synchronously. Returns the payload
    decoded if the signature is valid and
    optional expiration, audience, or
    issuer are valid. If not, it will
    throw the error.

The jwt.decode method only decodes the token and should only every be used on trusted messages. Since jwt.verify also decodes the token after verification, it provides a safer and more secure way to decode the token, so it should be the preferred method.