What Is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between two parties. It is widely used for authentication and authorization in web applications, mobile apps, APIs, and microservices.
A JWT consists of three parts separated by dots (.):
Header.Payload.Signature
For example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Each section is Base64URL encoded and contains important information about the token.
What Does a JWT Decoder Do?
A JWT Decoder converts the encoded Header and Payload sections of a JWT into human-readable JSON. This allows developers to inspect claims, verify token structure, troubleshoot authentication issues, and understand what information is stored inside the token.
Our JWT Decoder processes the token locally in your browser, helping you inspect its contents quickly without sending your data to a server.
Understanding the Three Parts of a JWT
1. Header
The header specifies metadata about the token, such as the signing algorithm and token type. Example:
{
"alg": "HS256",
"typ": "JWT"
}2. Payload
The payload contains claims or data stored within the token. Example:
{
"sub": "1234567890",
"name": "John Doe",
"email": "john@example.com",
"admin": true,
"iat": 1719000000,
"exp": 1719003600
}3. Signature
The signature verifies that the token has not been modified after creation. It is generated using the encoded header, encoded payload, secret key or private key, and the signing algorithm. Without the correct signing key, the signature cannot be recreated or verified.
Why Use a JWT Decoder?
Developers frequently need to inspect JWTs during development or debugging. A decoder helps you view the token header, decode the payload instantly, inspect expiration dates, understand user claims, troubleshoot authentication problems, and debug API authorization issues.
Common JWT Use Cases
JWTs are commonly used in user login systems, REST APIs, OAuth authentication, Single Sign-On (SSO), mobile applications, microservices communication, and cloud platform authentication.
Example JWT
Encoded token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJ1c2VySWQiOjQyLCJuYW1lIjoiQWxpY2UiLCJyb2xlIjoiYWRtaW4iLCJleHAiOjE3NTAwMDAwMDB9. exampleSignature
Decoded Header:
{
"alg": "HS256",
"typ": "JWT"
}Decoded Payload:
{
"userId": 42,
"name": "Alice",
"role": "admin",
"exp": 1750000000
}How to Use This JWT Decoder
- Copy your JWT token.
- Paste it into the input box.
- Click Decode.
- View the decoded Header and Payload instantly.
Is Decoding the Same as Verifying?
No. A decoder only converts Base64URL-encoded data into readable JSON. It does not verify whether the token is authentic or signed correctly. Verification requires the appropriate secret key or public key used during token generation.
Is It Safe to Decode JWTs?
Decoding is generally safe because it simply reads the token contents. However, never share production tokens publicly and avoid exposing sensitive authentication credentials. For maximum privacy, use tools that perform decoding locally within your browser.
Common JWT Claims Explained
| Claim | Description |
|---|---|
iss | Token issuer |
sub | Subject identifier |
aud | Intended audience |
exp | Expiration time |
nbf | Not valid before |
iat | Issued at timestamp |
jti | Unique token identifier |
Advantages of JWT
- Compact and URL-safe
- Stateless authentication
- Easy API integration and distributed systems support
- Widely adopted industry standard
Limitations of JWT
- Payload is readable after decoding (unless encrypted)
- Large payloads increase request size
- Revoking issued tokens can be challenging
Tips for Working with JWTs
- Keep expiration times reasonably short.
- Store tokens securely and always validate signatures on the server.
- Use HTTPS to prevent interception.
Frequently Asked Questions
Can I modify a decoded JWT?
You can edit the decoded JSON, but changing it invalidates the original signature unless the token is re-signed with the correct key.
Does decoding reveal the secret key?
No. The signing secret or private key is never included inside the token.
Can expired JWTs still be decoded?
Yes. Even expired tokens can be decoded, although applications should reject them during verification.
Final Thoughts
Whether you're debugging an API, learning about authentication, or inspecting authorization claims, a JWT Decoder is an essential tool for developers. Simply paste your token to view its decoded Header and Payload in seconds, understand its structure, and diagnose authentication issues with confidence.