How do I decode a JWT token?

A JWT has three Base64url-encoded segments separated by dots. Copy the middle segment (the payload), paste it into a Base64 decoder, and you will see the JSON claims: user ID, expiration time, roles, and other data.

How do I decode a Kubernetes secret?

Run kubectl get secret my-secret -o jsonpath and pipe to base64 -d. Or copy the Base64 value from the YAML output and paste it into a browser-based decoder. The decoded text is your actual password, connection string, or API key.

Is it safe to decode JWTs online?

With a browser-based tool that processes locally, yes. The JWT never leaves your device. Avoid pasting production JWTs into server-based tools that might log your tokens.

Why are Kubernetes secrets Base64 encoded?

Kubernetes uses Base64 to safely store binary data in YAML, which is a text format. Base64 is NOT encryption. Anyone with access to the YAML can decode the secrets. For actual security, use tools like Sealed Secrets, SOPS, or external secret managers.

What is the difference between Base64 and Base64url?

JWTs use Base64url which replaces + with - and / with _ to be URL-safe. Standard Base64 uses + and /. Most decoders handle both, but if you get errors decoding a JWT, try replacing - with + and _ with / first.

Can I decode a JWT without the secret key?

You can decode (read) the header and payload without the key. The signature (third segment) requires the key to verify but not to read. This is by design. JWTs carry readable claims. The signature just proves they have not been tampered with.

Base64 Decode for JWT Tokens and Kubernetes Secrets

Last updated: April 20267 min readEncode/Decode Tools

Two of the most common reasons to decode Base64: checking what is inside a JWT token and reading Kubernetes secret values. This guide covers both with step-by-step examples.

Decoding JWT Tokens

A JWT (JSON Web Token) looks like this:

eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiIsInJvbGUiOiJhZG1pbiJ9.signature

Three segments separated by dots:

Header (algorithm, type)
Payload (claims: user data, expiration, permissions)
Signature (verification, needs the secret key)

You can decode segments 1 and 2 without any key. They are just Base64url-encoded JSON.

Quick Method

Copy the middle segment: eyJ1c2VyIjoiam9obiIsInJvbGUiOiJhZG1pbiJ9
Paste into the Base64 Decoder
Click Decode
Read the JSON: {"user":"john","role":"admin"}

For a full JWT breakdown with all three segments parsed and formatted, use the JWT Decoder.

What You Find Inside

Claim	Example	Meaning
sub	12345	Subject (user ID)
exp	1712345678	Expiration (Unix timestamp)
iat	1712340000	Issued at time
role	admin	User role/permissions
email	[email protected]	User email
iss	auth.example.com	Token issuer

Check the exp claim to see if a token has expired. Convert the Unix timestamp with the Timestamp Converter.

Decode JWT payloads and Base64 strings instantly.

Decode Now →

Decoding Kubernetes Secrets

When you get a Kubernetes secret:

apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
data:
  username: YWRtaW4=
  password: czNjcjN0UEBzc3cwcmQ=

The values are Base64. Decode them:

YWRtaW4= → admin
czNjcjN0UEBzc3cwcmQ= → s3cr3tP@ssw0rd

From the Terminal

kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 -d
Or decode all at once: kubectl get secret db-credentials -o json | jq -r '.data | to_entries[] | "\(.key): \(.value | @base64d)"'

Why Kubernetes Uses Base64

YAML is a text format. Binary values (certificates, keys) cannot be stored directly. Base64 converts them to text. But Base64 is NOT security. Anyone with kubectl access can decode the values. Use Sealed Secrets, SOPS, Vault, or external secret managers for real protection.

Security Reminder

Both JWTs and Kubernetes secrets use Base64 for format compatibility, not security. A Base64-encoded password is not a protected password. Always:

Use HTTPS when transmitting JWTs
Verify JWT signatures server-side before trusting claims
Use RBAC to restrict who can read Kubernetes secrets
Consider encrypting secrets at rest with a secrets manager

Base64 Decode for JWT Tokens and Kubernetes Secrets

Decoding JWT Tokens

Quick Method

What You Find Inside

Decoding Kubernetes Secrets

From the Terminal

Why Kubernetes Uses Base64

Security Reminder

Related Posts

JWT Decoder

Base64 Decode

What Is Base64?

Base64 Command Line