tessl/maven-com-auth0--java-jwt
A comprehensive Java implementation of JSON Web Token (JWT) with creation, signing, and verification capabilities for server-side JVM applications.
—
Pending
jwt-decoding.mddocs/
JWT Decoding
JWT decoding functionality for accessing token header, payload, and claims without signature verification. Use only when token trust has been established through other means.
Capabilities
Static Token Decoding
Decode a JWT token without verifying its signature to access header and payload information.
/**
* Decode a given Json Web Token.
* Note that this method doesn't verify the token's signature!
* Use it only if you trust the token or if you have already verified it.
* @param token with jwt format as string
* @return a decoded JWT
* @throws JWTDecodeException if any part of the token contained an invalid jwt or JSON format of each of the jwt parts
*/
public static DecodedJWT decode(String token) throws JWTDecodeException;Usage Example:
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
try {
String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
DecodedJWT jwt = JWT.decode(token);
// Access header information
String algorithm = jwt.getAlgorithm();
String keyId = jwt.getKeyId();
// Access payload claims
String subject = jwt.getSubject();
String issuer = jwt.getIssuer();
Date expiration = jwt.getExpiresAt();
System.out.println("Algorithm: " + algorithm);
System.out.println("Subject: " + subject);
} catch (JWTDecodeException exception) {
System.err.println("Invalid JWT format: " + exception.getMessage());
}Instance Token Decoding
Decode JWT tokens using a reusable JWT instance, optimized for high-throughput scenarios where many tokens need to be decoded.
/**
* Decode a given Json Web Token using a JWT instance.
* Note that this method doesn't verify the token's signature!
* Use it only if you trust the token or if you have already verified it.
* @param token with jwt format as string
* @return a decoded JWT
* @throws JWTDecodeException if any part of the token contained an invalid jwt or JSON format of each of the jwt parts
*/
public DecodedJWT decodeJwt(String token) throws JWTDecodeException;Usage Example:
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
// Create reusable JWT instance for high-throughput decoding
JWT jwtDecoder = new JWT();
// Decode multiple tokens efficiently
for (String token : tokenList) {
try {
DecodedJWT jwt = jwtDecoder.decodeJwt(token);
String subject = jwt.getSubject();
processToken(subject);
} catch (JWTDecodeException exception) {
System.err.println("Invalid JWT: " + exception.getMessage());
}
}
**Usage Example:**
```java
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
// Create reusable decoder instance
JWT jwtDecoder = new JWT();
// Decode multiple tokens efficiently
String[] tokens = {
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9..."
};
for (String token : tokens) {
try {
DecodedJWT jwt = jwtDecoder.decodeJwt(token);
System.out.println("Token subject: " + jwt.getSubject());
} catch (JWTDecodeException e) {
System.err.println("Failed to decode token: " + e.getMessage());
}
}Token Component Access
Access the raw JWT components (header, payload, signature) as base64-encoded strings.
/**
* Getter for the Token used to create this JWT instance.
* @return the Token used to create this JWT instance
*/
String getToken();
/**
* Getter for the Header contained in this JWT as a Base64 encoded String.
* @return the Header contained in this JWT as a Base64 encoded String
*/
String getHeader();
/**
* Getter for the Payload contained in this JWT as a Base64 encoded String.
* @return the Payload contained in this JWT as a Base64 encoded String
*/
String getPayload();
/**
* Getter for the Signature contained in this JWT as a Base64 encoded String.
* @return the Signature contained in this JWT as a Base64 encoded String
*/
String getSignature();Usage Example:
DecodedJWT jwt = JWT.decode(token);
// Access raw components
String originalToken = jwt.getToken();
String headerB64 = jwt.getHeader();
String payloadB64 = jwt.getPayload();
String signatureB64 = jwt.getSignature();
System.out.println("Original token: " + originalToken);
System.out.println("Header (Base64): " + headerB64);
System.out.println("Payload (Base64): " + payloadB64);
System.out.println("Signature (Base64): " + signatureB64);
// Reconstruct token manually if needed
String reconstructed = headerB64 + "." + payloadB64 + "." + signatureB64;
assert originalToken.equals(reconstructed);Header Claim Access
Access JWT header claims including standard and custom header parameters.
/**
* Getter for the Algorithm "alg" claim contained in the Header.
* @return the Algorithm defined or null if it's not defined in the Header
*/
String getAlgorithm();
/**
* Getter for the Type "typ" claim contained in the Header.
* @return the Type defined or null if it's not defined in the Header
*/
String getType();
/**
* Getter for the Content Type "cty" claim contained in the Header.
* @return the Content Type defined or null if it's not defined in the Header
*/
String getContentType();
/**
* Getter for the Key Id "kid" claim contained in the Header.
* @return the Key Id defined or null if it's not defined in the Header
*/
String getKeyId();
/**
* Get a custom Claim given its name from the Header.
* @param name the name of the Claim to retrieve
* @return a valid Claim instance if the Claim was found or a NullClaim if not
*/
Claim getHeaderClaim(String name);Usage Example:
DecodedJWT jwt = JWT.decode(token);
// Standard header claims
String algorithm = jwt.getAlgorithm(); // e.g., "HS256", "RS256"
String type = jwt.getType(); // typically "JWT"
String contentType = jwt.getContentType(); // e.g., "application/json"
String keyId = jwt.getKeyId(); // key identifier for verification
System.out.println("Algorithm: " + algorithm);
System.out.println("Type: " + type);
// Custom header claims
Claim customClaim = jwt.getHeaderClaim("custom");
if (!customClaim.isMissing()) {
String customValue = customClaim.asString();
System.out.println("Custom header claim: " + customValue);
}Payload Claim Access
Access JWT payload claims including standard registered claims and custom claims.
/**
* Getter for the Issuer "iss" claim contained in the Payload.
* @return the Issuer value or null if it's not defined in the Payload
*/
String getIssuer();
/**
* Getter for the Subject "sub" claim contained in the Payload.
* @return the Subject value or null if it's not defined in the Payload
*/
String getSubject();
/**
* Getter for the Audience "aud" claim contained in the Payload.
* @return the Audience value or an empty list if it's not defined in the Payload
*/
List<String> getAudience();
/**
* Getter for the Expires At "exp" claim contained in the Payload.
* @return the Expires At value or null if it's not defined in the Payload
*/
Date getExpiresAt();
/**
* Getter for the Expires At "exp" claim contained in the Payload as an Instant.
* @return the Expires At value or null if it's not defined in the Payload
*/
Instant getExpiresAtAsInstant();
/**
* Getter for the Not Before "nbf" claim contained in the Payload.
* @return the Not Before value or null if it's not defined in the Payload
*/
Date getNotBefore();
/**
* Getter for the Not Before "nbf" claim contained in the Payload as an Instant.
* @return the Not Before value or null if it's not defined in the Payload
*/
Instant getNotBeforeAsInstant();
/**
* Getter for the Issued At "iat" claim contained in the Payload.
* @return the Issued At value or null if it's not defined in the Payload
*/
Date getIssuedAt();
/**
* Getter for the Issued At "iat" claim contained in the Payload as an Instant.
* @return the Issued At value or null if it's not defined in the Payload
*/
Instant getIssuedAtAsInstant();
/**
* Getter for the JWT ID "jti" claim contained in the Payload.
* @return the JWT ID value or null if it's not defined in the Payload
*/
String getId();
/**
* Get a custom Claim given its name from the Payload.
* @param name the name of the Claim to retrieve
* @return a valid Claim instance if the Claim was found or a NullClaim if not
*/
Claim getClaim(String name);
/**
* Get all Claims contained in the Payload.
* @return a Map containing all the custom Claims defined in the token
*/
Map<String, Claim> getClaims();Usage Example:
DecodedJWT jwt = JWT.decode(token);
// Standard registered claims
String issuer = jwt.getIssuer(); // "iss" claim
String subject = jwt.getSubject(); // "sub" claim
List<String> audience = jwt.getAudience(); // "aud" claim
Date expiresAt = jwt.getExpiresAt(); // "exp" claim
Date notBefore = jwt.getNotBefore(); // "nbf" claim
Date issuedAt = jwt.getIssuedAt(); // "iat" claim
String jwtId = jwt.getId(); // "jti" claim
System.out.println("Issuer: " + issuer);
System.out.println("Subject: " + subject);
System.out.println("Expires at: " + expiresAt);
// Use Instant for modern date handling
Instant expiresAtInstant = jwt.getExpiresAtAsInstant();
Instant notBeforeInstant = jwt.getNotBeforeAsInstant();
Instant issuedAtInstant = jwt.getIssuedAtAsInstant();
// Custom claims
Claim roleClaim = jwt.getClaim("role");
if (!roleClaim.isMissing()) {
String role = roleClaim.asString();
System.out.println("Role: " + role);
}
// All claims
Map<String, Claim> allClaims = jwt.getClaims();
for (Map.Entry<String, Claim> entry : allClaims.entrySet()) {
String claimName = entry.getKey();
Claim claimValue = entry.getValue();
if (!claimValue.isMissing()) {
System.out.println(claimName + ": " + claimValue.asString());
}
}Security Considerations
Important Security Note: The decode methods do NOT verify the token's signature. Use these methods only in the following scenarios:
- Already Verified Tokens: When the token has been previously verified through other means
- Trusted Sources: When you completely trust the source of the token
- Information Extraction: For extracting claims from tokens that will be verified separately
- Development/Debugging: For inspecting token contents during development
For production security-critical applications, always use the verification methods provided by JWTVerifier instead.
Usage Example with Security Warning:
// ⚠️ SECURITY WARNING: This does NOT verify the signature!
DecodedJWT jwt = JWT.decode(untrustedToken);
// ✅ SECURE: This verifies the signature
JWTVerifier verifier = JWT.require(algorithm).build();
DecodedJWT verifiedJwt = verifier.verify(untrustedToken);Types
/**
* JWT decoder interface providing access to token components and claims
*/
public interface DecodedJWT extends Payload, Header {
String getToken();
String getHeader();
String getPayload();
String getSignature();
}
/**
* JWT header interface providing access to header claims
*/
public interface Header {
String getAlgorithm();
String getType();
String getContentType();
String getKeyId();
Claim getHeaderClaim(String name);
}
/**
* JWT payload interface providing access to payload claims
*/
public interface Payload {
String getIssuer();
String getSubject();
List<String> getAudience();
Date getExpiresAt();
Instant getExpiresAtAsInstant();
Date getNotBefore();
Instant getNotBeforeAsInstant();
Date getIssuedAt();
Instant getIssuedAtAsInstant();
String getId();
Claim getClaim(String name);
Map<String, Claim> getClaims();
}Install with Tessl CLI
npx tessl i tessl/maven-com-auth0--java-jwt