🛠️
Astonishbuddy
No login required
How to Use JWT Decoder
🔑 AstonishBuddy Guide

How to Use JWT Decoder

🔑
AstonishBuddy Team
📅June 19, 2026
All Guides
Decode and inspect JWT tokens locally in your browser. A complete guide to understanding JSON Web Token structure, claims, and security with our free JWT decoder.
🔑

Ready to try it?

Use the free tool directly — no sign-up required.

Open Tool →

JSON Web Tokens (JWTs) are a compact, URL-safe method of securely representing claims between two parties. They are widely used for authentication, authorization, and information exchange in modern web applications and APIs. Being able to decode and inspect a JWT is an essential debugging skill for developers working with authentication systems.

Our free JWT Decoder instantly decodes any JWT token to reveal its header, payload, and signature information — all processed locally in your browser so your tokens never leave your device.

What Is a JWT?

A JWT consists of three Base64url-encoded parts separated by periods:

  • Header: Specifies the token type (JWT) and the signing algorithm (e.g., HS256, RS256, ES256).
  • Payload: Contains the claims — statements about the user or entity (user ID, roles, permissions, expiry time, etc.).
  • Signature: Verifies that the header and payload haven't been tampered with. Created by signing the header + payload with a secret or private key.

A typical JWT looks like: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.signature

How to Use Our JWT Decoder

  1. Paste Your JWT — Copy a JWT token from your application, API response, browser developer tools, or anywhere else and paste it into the input field.
  2. Automatic Decoding — The tool instantly decodes all three parts (header, payload, signature) and displays them as formatted, readable JSON.
  3. View Claims — Examine all the claims in the payload section (sub, iat, exp, roles, etc.).
  4. Check Expiry — The exp (expiration) claim is automatically converted to a human-readable date and compared to the current time to show whether the token has expired.
  5. Verify Structure — The tool validates that the JWT has the correct three-part structure and valid Base64url encoding.

Common JWT Claims

  • iss (Issuer): Identifies who issued the JWT (e.g., your authentication server's domain).
  • sub (Subject): Identifies the principal — typically the user ID.
  • aud (Audience): Identifies the intended recipients of the JWT.
  • exp (Expiration Time): Unix timestamp after which the token is no longer valid.
  • iat (Issued At): Unix timestamp when the token was issued.
  • nbf (Not Before): Unix timestamp before which the token is not valid.
  • jti (JWT ID): Unique identifier for the token, used to prevent replay attacks.

JWT Signing Algorithms

  • HS256/HS384/HS512 (HMAC): Symmetric algorithms using a shared secret. Fast but requires the secret to be shared between issuer and verifier.
  • RS256/RS384/RS512 (RSA): Asymmetric algorithms using a public/private key pair. The private key signs; the public key verifies. Secure for distributed systems.
  • ES256/ES384/ES512 (ECDSA): Elliptic curve asymmetric signatures. Smaller key sizes than RSA with equivalent security.
  • none: No signature. Should NEVER be accepted by production applications as it allows token forgery.

Security Best Practices

  • Always verify the signature server-side — decoding alone does not validate authenticity.
  • Check the exp claim on every request — never accept expired tokens.
  • Validate the iss (issuer) and aud (audience) claims to prevent token misuse.
  • Use short expiry times (15 minutes to 1 hour) for access tokens; use refresh tokens for longer sessions.
  • Never store sensitive information (passwords, PII) in the JWT payload — it's encoded, not encrypted.
  • Use RS256 or ES256 for public-facing APIs instead of HS256.

JWTs are central to modern authentication and authorization systems. Our free JWT decoder gives you instant visibility into token structure and claims, making it an essential tool for debugging, development, and security review.

← Previous GuideHow to Use Text Diff CheckerNext Guide →How to Use PDF Compressor

Found this guide helpful?

Explore all free tools and step-by-step guides on AstonishBuddy.

← All Guides🛠️ Explore Tools

More Guides