How to Decode API tokens with a decryption key using JWT

How can I decode an api token generated by the sender with the algorithm HS512 and a decryption key: eg. KKHjkgfubfjgdhfg$C&F)J@NcQfTjWnZr4u7x!A%D*G-kjfsjdj&hfs99nvk/B?E

The following is the e.g in JAVA

import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
public class JWTUtil {
* Parse jwt body using given signing key.
* @param key signing key
* @param signAlgorithm
* @param jwt token
* @return payload
* @throws ExpiredJwtException if JWT expiration time is exceeded
* @throws SignatureException if signature verification failed
public static Object getJWTBody(String key, SignatureAlgorithm signAlgorithm, String jwt)
throws ExpiredJwtException, SignatureException {
Assert.hasText(key, "Encryption key should not be null or empty");
byte[] encryptionKeyBytes = DatatypeConverter.parseBase64Binary(key);
Key signingKey = new SecretKeySpec(encryptionKeyBytes, signAlgorithm);
return Jwts.parser()

So Far I just mange to create plug to extract to token from the connection

defmodule MyAppWeb.Plug.ValidateToken do
  @behaviour Plug
  import Plug.Conn
  import MyMapp.Security.JwtToken

  alias MyApp.Notification.GlobalMessages, as: Message
  alias MyAppWeb.SessionController, as: Callback

  def init(default), do: default

  def call(conn, _default) do
    if Plug.Conn.get_req_header(conn, "authorisation") != [] do
      [auth_token] = Plug.Conn.get_req_header(conn, "authorisation")
         # code come here
      Callback.respond(conn, Message.message_auth_token_header_not_set?(), :unauthorized) |> halt()


How can I decode It?

check out Joken. i haven’t used this myself, but we did use an underlying library (JOSE for JWTs)

looks like Joken would provide you with a simpler API to interact with JWTs. you’d have to create a Joken.Signer struct and then call Joken.verify/3 which will return back your claims as a map if successful

1 Like