Demystifying JWT Decoding: A Step-by-Step Guide to Manual Payload Extraction in JavaScript

4 min read Aldawsari
4 min read

📚 Quick Review: This practical application is built upon a fundamental programming concept. Review the Theory Lesson here first.

Unpacking JWT Payloads: A Manual JavaScript Approach

While libraries simplify JWT handling, understanding the underlying mechanics of decoding a JWT payload is a valuable skill. This lesson breaks down a JavaScript function designed to extract and parse the payload from a JWT without relying on external dependencies. This approach is particularly useful for client-side applications where you might want to display user information or for learning purposes.

The Manual Decoding Function

Here’s the JavaScript function we’ll be dissecting:

/**
 * دالة لفك تشفير JWT واستخراج البيانات بدون استخدام مكتبات خارجية
 * @param {string} token - رمز JWT كامل
 * @returns {object|null} - البيانات المفككة أو قيمة فارغة في حال الخطأ
 */
function decodeJWTPayload(token) {
  try {
    const base64Url = token.split('.')[1];
    if (!base64Url) return null;
    
    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
    const jsonPayload = decodeURIComponent(
      atob(base64)
        .split('')
        .map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
        .join('')
    );

    return JSON.parse(jsonPayload);
  } catch (error) {
    console.error('Failed to decode JWT:', error);
    return null;
  }
}

Line-by-Line Code Breakdown

1. Function Signature and Error Handling

function decodeJWTPayload(token) {
  try {
    // ... decoding logic ...
  } catch (error) {
    console.error('Failed to decode JWT:', error);
    return null;
  }
}

The function decodeJWTPayload accepts a single argument, token, which is the complete JWT string. It’s wrapped in a try...catch block to gracefully handle any errors that might occur during the decoding process, returning null if an error is encountered.

2. Extracting the Base64Url Encoded Payload

    const base64Url = token.split('.')[1];
    if (!base64Url) return null;

A JWT is structured as Header.Payload.Signature. The split('.') method divides the token string into an array using the dot as a delimiter. The payload is always the second part, hence [1]. A quick check ensures that the payload part actually exists; if not, it returns null.

3. Converting Base64Url to Standard Base64

    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');

The JWT specification uses Base64Url encoding, which is a URL-safe variant of standard Base64. This means that characters like + and / are replaced with - and _, respectively. This line performs the necessary replacements to convert the Base64Url string back to a standard Base64 string, which is compatible with the browser’s native atob() function.

4. Base64 Decoding and UTF-8 Character Handling

    const jsonPayload = decodeURIComponent(
      atob(base64)
        .split('')
        .map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
        .join('')
    );

This is the most intricate part of the function:

  • atob(base64): The browser’s native atob() function decodes the Base64 string into a binary string (a string where each character’s code point is in the range 0-255). However, atob() treats the input as Latin-1 (ISO-8859-1), which can cause issues with multi-byte UTF-8 characters often found in JSON payloads.
  • .split('').map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)).join(''): This chain of operations is a common workaround to correctly handle UTF-8 characters after atob(). It takes the Latin-1 string, converts each character’s code point into its hexadecimal representation (e.g., 'a' becomes '%61'), and prefixes it with %. This effectively creates a URI-encoded string.
  • decodeURIComponent(...): Finally, decodeURIComponent() takes this URI-encoded string and correctly decodes it into a human-readable UTF-8 string, preserving any special characters or emojis.
💡 Developer Tip: The UTF-8 conversion step (.split('').map(...)) is crucial. Without it, JWT payloads containing non-ASCII characters (like many international names or special symbols) would be incorrectly decoded, leading to corrupted data or JSON parsing errors. This is a very common pitfall in manual JWT decoding.

5. Parsing the JSON Payload

    return JSON.parse(jsonPayload);

Once the jsonPayload string is correctly decoded from Base64Url and UTF-8, it’s a standard JSON string. JSON.parse() converts this string into a JavaScript object, making the claims easily accessible.

Execution Environment Considerations

This particular function is designed for a browser environment because it relies on the global atob() and decodeURIComponent() functions, which are standard Web APIs. If you were to use this function in a Node.js environment, you would need to replace atob() with Node.js’s Buffer API for Base64 decoding:

// Node.js equivalent for Base64 decoding
const decoded = Buffer.from(base64, 'base64').toString('utf8');

The decodeURIComponent part would remain the same, but the intermediate UTF-8 conversion step might be simplified or unnecessary depending on how Buffer.toString('utf8') handles the output.

Understanding this manual decoding process not only provides a fallback when libraries aren’t an option but also deepens your appreciation for how JWTs work at a fundamental level.

Leave a Reply

Your email address will not be published. Required fields are marked *