How to decode a JSON Web Token in Postman.
Secure Web APIs utilize JSON Web Tokens for sharing authorization information in an HTTP header. When a user authenticates against an initial login endpoint a JWT is returned and then each subsequent secure request carries the JWT in a header. Tokens consist of three parts that are base64url encoded and can be easily decoded online for inspection. However, using an online decoding website could put your application at risk if the token were to be intercepted and reused. Here I will demonstrate how to safely use Postman to decode and visualize the encoded JWT payload.
Postman is a wonderful tool for testing and can be easily configured to make an authentication request to retrieve a JWT. The JWT payload can be saved in an environment variable that can be reused as the authorization header in other requests. Postman also provides us the ability to run JavaScript test cases to validate and visualize the JWT payload.
Using the JWT token with secure requests.
In Postman, create a new workspace and environment.
Now create your first request to authenticate and receive a JWT. Your authentication services will provide the specific details on the request format. Before making the authentication request add the following script under the Tests tab. The test script saves the token as an environment variable for other API test requests to utilize.
var jsonData = pm.response.json();
pm.environment.set('jwt', jsonData.access_token);Clicking the Send button triggers the request in Postman and automatically runs the test script.
Any Secure API request can now use this environment variable by simply adding an Authorization header. In any new request click on the Headers tab and add a new Authorization key with the value Bearer {{jwt}}. The double curly brace will be replaced with the current value of the named environment variable.
Decoding the JWT to inspect the payload and claims.
The visualizer in Postman allows us to create and use a Handlebars template to render an HTML table based on the decoded JWT data. Add the following script under the Test tab of your authentication request to decode the JWT token locally.
To view the render HTML click on the Visualize tab under the response section.
