JWT must have 3 segments: what it means and how to fix it

TL;DR: Validate locally, fix the first real error, validate again (no upload).

Fix JWT must have 3 segments by decoding safely and locally (no upload).

What the error means

JWT must have 3 segments means a decoder rejected the input as invalid encoding. The fastest path is to identify what format you have, normalize it, then decode again.

Most common real-world causes

JWT problems are often: not 3 segments, wrong key/algorithm, or option mismatch (aud/iss/sub).
The input is not actually encoded in the expected format (Base64 vs Base64URL vs plain text).
You copied only part of the string (truncated token/payload).
Whitespace/newlines were introduced during copy/paste.
Wrong character set: URL-safe Base64 uses '-' and '_' instead of '+' and '/'.
You decoded using the wrong function (decodeURIComponent on non-URL-encoded data, atob on non-Base64).

Fast debugging steps

If you see a JWT library error, decode the token parts first to confirm structure and claims.
Confirm what you are decoding (URL encoding, Base64, Base64URL, JWT).
Trim whitespace and remove line breaks before decoding.
If it's a JWT, ensure it has 3 dot-separated parts (header.payload.signature).
If it's Base64URL, convert '-' -> '+' and '_' -> '/' and add padding if needed.

Code example (jwt)

// Decode JWT header/payload locally (Base64URL)
const parts = token.split('.');
if (parts.length !== 3) throw new Error('JWT must have 3 segments');

const b64urlToB64 = (s) => s.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(s.length / 4) * 4, '=');
const decodePart = (s) => JSON.parse(atob(b64urlToB64(s)));

console.log('header', decodePart(parts[0]));
console.log('payload', decodePart(parts[1]));
// Signature verification requires the signing key and is NOT done here.

Fix without uploading data

Encoded strings often contain secrets (tokens, IDs). Decode locally and share only redacted snippets.

URL Encode/Decode for percent-encoding.
Base64 Encode/Decode for Base64/Base64URL payloads.
JWT Decoder to inspect header/payload without uploads.

FAQ

Is Base64 the same as Base64URL? No. Base64URL uses '-' and '_' and often omits padding. Normalize before decoding.

Does decoding a JWT verify it? No. Decoding shows claims; verification requires the signing key.

Next steps

Related tools

Base64 Encode/Decode URL Encode/Decode Query string ↔ JSON JWT Decoder

Related guides

URL encoding explained Decode Base64 without uploading Encode Base64 without uploading Base64URL vs Base64 Base64URL → Base64 convert Base64 padding (=) explained atob/btoa explained Decode JWT without uploading

Privacy & Security

All processing happens locally in your browser. Files are never uploaded.