Version: 1.5.1

JWT Decode

Parse Security

Synopsis

Decodes JSON Web Tokens into header, claims, and signature components.

Schema

- jwt_decode:
    field: <ident>
    target_field: <string>
    extract_header: <boolean>
    extract_claims: <boolean>
    extract_signature: <boolean>
    parse_dates: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
`field`	Y	-	Source field containing JWT token to decode
`target_field`	N	`{field}_decoded`	Target field to store decoded JWT components
`extract_header`	N	`false`	Extract JWT header (algorithm, token type)
`extract_claims`	N	`true`	Extract JWT claims/payload (defaults to true if no extract flags specified)
`extract_signature`	N	`false`	Include signature as hex string
`parse_dates`	N	`false`	Parse timestamp claims into readable date formats
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue processing if decoding fails
`ignore_missing`	N	`false`	Skip processing if referenced field doesn't exist
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

Decodes JSON Web Tokens (JWT) into their constituent parts: header, payload (claims), and signature. The processor extracts token structure without verifying cryptographic signatures.

JWT tokens consist of three base64-encoded parts separated by dots: header.payload.signature. The processor decodes each part and presents them in a structured format. The "Bearer " prefix is automatically removed if present.

By default, only claims are extracted. Use extract_header and extract_signature flags to include additional token components.

When parse_dates is enabled, timestamp claims (exp, iat, nbf, auth_time, updated_at) are converted into multiple readable formats with *_timestamp, *_datetime, and *_readable suffixes.

The processor adds convenience fields at root level for standard claims: subject, issuer, audience, expiration, issued_at, not_before, jwt_id. Additional fields include is_expired and expires_in_seconds for expiration checking.

warning

This processor decodes JWT tokens without verifying signatures. Do NOT use decoded data for security-critical decisions without proper validation.

Examples

Basic JWT Decoding

Decoding JWT token claims...

{
  "auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

- jwt_decode:
    field: auth_token

extracts claims with convenience fields at root level:

{
  "auth_token": "eyJhbGciOiJIUzI1N...",
  "auth_token_decoded": {
    "claims": {
      "sub": "1234567890",
      "name": "John Doe",
      "iat": 1516239022
    },
    "subject": "1234567890",
    "issued_at": 1516239022
  }
}

Extracting Header and Signature

Extracting all JWT components...

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

- jwt_decode:
    field: token
    extract_header: true
    extract_claims: true
    extract_signature: true

includes header, claims, and signature:

{
  "token": "eyJhbGciOiJIUzI1N...",
  "token_decoded": {
    "header": {
      "alg": "HS256",
      "typ": "JWT"
    },
    "claims": {
      "sub": "1234567890",
      "name": "John Doe",
      "iat": 1516239022
    },
    "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
    "subject": "1234567890",
    "issued_at": 1516239022
  }
}

Parsing Date Claims

Converting timestamp claims to readable formats...

{
  "session_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MzU2ODk2MDAsIm5iZiI6MTUxNjIzOTAyMn0.4Adcj3UFYzPUVaVF43FmMab6RlaQD8A9V8wFzzht-KQ"
}

- jwt_decode:
    field: session_token
    parse_dates: true

adds timestamp, datetime, and readable date fields:

{
  "session_token": "eyJhbGciOiJIUzI1N...",
  "session_token_decoded": {
    "claims": {
      "sub": "1234567890",
      "iat": 1516239022,
      "iat_timestamp": 1516239022,
      "iat_datetime": "2018-01-18T01:30:22Z",
      "iat_readable": "2018-01-18 01:30:22 UTC",
      "exp": 1735689600,
      "exp_timestamp": 1735689600,
      "exp_datetime": "2025-01-01T00:00:00Z",
      "exp_readable": "2025-01-01 00:00:00 UTC"
    },
    "subject": "1234567890",
    "issued_at": 1516239022,
    "expiration": 1735689600,
    "is_expired": false,
    "expires_in_seconds": 219450578
  }
}

Bearer Token Prefix

Handling Authorization header with Bearer prefix...

{
  "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

- jwt_decode:
    field: authorization

automatically strips Bearer prefix before decoding:

{
  "authorization": "Bearer eyJhbGciOiJIUzI1N...",
  "authorization_decoded": {
    "claims": {
      "sub": "1234567890",
      "name": "John Doe",
      "iat": 1516239022
    },
    "subject": "1234567890",
    "issued_at": 1516239022
  }
}

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic JWT Decoding​

Extracting Header and Signature​

Parsing Date Claims​

Bearer Token Prefix​