fastify-xauth-local
jwt.decode
Decode a JWT without verifying its signature — useful for inspecting claims before validation.
jwt.decode
Decodes a JWT and returns the full token structure (header, payload, signature) without verifying the signature or checking expiration. Use only for inspection — never for authorization.
Signature
const api = fastify.xauthlocal.get(name: string)
api.jwt.decode(
token: string
): { header: object; payload: object; signature: string } | null
Params
| Name | Type | Required | Description |
|---|---|---|---|
token | string | Yes | The JWT string to decode |
Returns
An object with header, payload, and signature properties, or null if the token is not a valid JWT structure.
Throws
Does not throw. Returns null for malformed tokens.
Examples
Basic: read the algorithm from a token header
const api = fastify.xauthlocal.get("api");
const decoded = api.jwt.decode(token);
if (decoded) {
console.log(decoded.header.alg); // 'HS256' or 'RS256'
console.log(decoded.payload.exp); // expiration timestamp
}
Advanced: log expiration for debugging without verifying
const api = fastify.xauthlocal.get("api");
fastify.get("/api/debug/token", async (request) => {
const token = request.headers.authorization?.replace("Bearer ", "");
const decoded = api.jwt.decode(token);
if (!decoded) return { valid: false };
const expiresAt = new Date(decoded.payload.exp * 1000).toISOString();
const isExpired = Date.now() > decoded.payload.exp * 1000;
return { expiresAt, isExpired, subject: decoded.payload.sub };
// NOTE: this does not verify the signature — never use for auth
});
See Also
- jwt.verify — decode with full signature verification (use for auth)
- jwt.sign — sign a new token
AI Context
package: "@xenterprises/fastify-xauth-local"
method: fastify.xauthlocal.get('name').jwt.decode(token)
use-when: Decode a JWT without verifying the signature — for inspecting claims only, NOT for auth
returns: decoded payload object | null