Community JavaScript Snippet

Verify a JWT Without a JWT Library

How I verify HS256 JSON Web Tokens with the Web Crypto API and zero npm dependencies. Decodes the segments, checks the signature in constant time, and refuses to trust `alg: none`.

Verify a JWT Without a JWT Library

How I verify HS256 JSON Web Tokens with the Web Crypto API and zero npm dependencies. Decodes the segments, checks the signature in constant time, and refuses to trust `alg: none`.

JavaScript
Frontend
3 snippets
jwt
authentication
security
hashing
chidiweber

By @chidiweber

April 30, 2026

·

Updated May 20, 2026

457 views

3

4.1 (9)

Decoding a JWT is just three base64url segments separated by dots. The padding step is the part most homegrown decoders get wrong: base64url drops = padding, and feeding an unpadded string to atob or Buffer.from('...', 'base64') succeeds silently with truncated bytes on some boundaries. The signingInput is the literal header.payload substring, which I keep around because in the next stage we sign exactly those bytes (not the parsed JSON). I label this stage debugging-only because reading payload.userId here is fine for log output but a security disaster for authorization.