The library PyJWT has an option to decode a JWT without verification : Without this option, the decode function does not only decode the token but also verifies the signature and you would have to provide the matching key. And that’s of course the recommended way.