X Enterprises
fastify-xauth-jwks

decodeToken

Decode a JWT payload without signature verification — re-export of jose.decodeJwt.

decodeToken

Decode the payload of a JWT string without verifying its signature. A re-export of jose.decodeJwt. Useful for inspecting token claims (e.g., exp, sub, roles) before passing the token through the full verification flow.

Warning: This function does not validate the token. Never use it as a security check — only use it for inspection. Always verify tokens with verifyJWT before trusting any claims.

Signature

import { decodeToken } from "@xenterprises/fastify-xauth-jwks/utils";

decodeToken(token: string): JWTPayload

Params

NameTypeRequiredDescription
tokenstringYesRaw JWT string to decode.

Returns

object — The decoded JWT payload claims object (e.g., { sub, exp, iat, roles, ... }).

Throws

Throws if token is not a valid JWT string (malformed base64 or missing segments).

Examples

Basic — inspect expiry before a slow operation

import { decodeToken } from "@xenterprises/fastify-xauth-jwks/utils";
import { extractToken } from "@xenterprises/fastify-xauth-jwks/utils";

fastify.post("/admin/export", async (request, reply) => {
  const token = extractToken(request);
  const payload = decodeToken(token);

  const expiresIn = payload.exp * 1000 - Date.now();

  if (expiresIn < 60_000) {
    return reply.code(401).send({
      error: "Token expires too soon to complete this export",
    });
  }

  return startExport(request.auth.userId);
});

Realistic — log token metadata for debugging

import { decodeToken, extractToken } from "@xenterprises/fastify-xauth-jwks/utils";

fastify.addHook("onRequest", async (request) => {
  const token = extractToken(request);
  if (token) {
    try {
      const payload = decodeToken(token);
      fastify.log.debug({
        sub: payload.sub,
        exp: payload.exp,
        roles: payload.roles,
      }, "Incoming token claims (unverified)");
    } catch {
      // token is malformed — verification will reject it shortly
    }
  }
});

See Also

  • decodeHeader — Decode the JWT header (algorithm, key ID) without verification
  • verifyJWT — Cryptographically verify a token before trusting its claims
  • extractToken — Extract the raw token string from a request

AI Context

package: "@xenterprises/fastify-xauth-jwks"
import: decodeToken from "@xenterprises/fastify-xauth-jwks/utils"
use-when: Decode JWT payload without signature verification — for inspecting claims only, NOT for auth
returns: decoded payload object | null

decodeHeader

Decode a JWT header without signature verification — re-export of jose.decodeProtectedHeader.

extractToken

Extract a Bearer JWT from the Authorization header of a Fastify request.

Copyright © 2026