JWT Decoder - Decode & Inspect JSON Web Tokens
How to Use the JWT Decoder
Paste a JWT token into the input field. The tool instantly decodes the three parts of the token: the header (showing the signing algorithm and token type), the payload (showing all claims with human-readable labels), and the signature. An expiration status indicator shows whether the token is still valid based on the exp claim.
Understanding JSON Web Tokens
JSON Web Tokens (JWT) are the industry standard for transmitting authentication and authorization claims between services. When you log into a web application, the server typically issues a JWT that your browser sends with subsequent requests to prove your identity. Understanding what is inside a JWT helps developers debug authentication issues, verify claims, and troubleshoot token-based workflows.
Anatomy of a JWT
A JWT consists of three Base64URL-encoded sections separated by dots:
| Section | Contains | Example Fields |
|---|---|---|
| Header | Algorithm, token type | alg: “RS256”, typ: “JWT” |
| Payload | Claims and user data | sub, iss, exp, iat, custom claims |
| Signature | Cryptographic hash | HMAC or RSA signature |
Standard JWT Claims
The JWT specification defines a set of registered claims that have specific meanings:
| Claim | Name | Purpose |
|---|---|---|
| iss | Issuer | Who created the token |
| sub | Subject | Who the token is about (usually user ID) |
| aud | Audience | Who the token is intended for |
| exp | Expiration | When the token expires (Unix timestamp) |
| iat | Issued At | When the token was created |
| nbf | Not Before | Token is invalid before this time |
| jti | JWT ID | Unique identifier for the token |
Debugging Common JWT Issues
Token-related bugs are among the most common authentication issues developers encounter. Here are the typical problems and how to diagnose them using this decoder.
Expired Tokens
The most common issue is a token whose exp claim is in the past. This tool highlights expired tokens immediately. If you see frequent expirations, check that your token refresh logic is working correctly and that server and client clocks are synchronized.
Wrong Audience or Issuer
When a token is rejected despite not being expired, check the aud and iss claims. API servers typically validate that these claims match expected values. A mismatch between the issuer in the token and what the server expects causes authentication failures even with a valid signature.
Missing or Unexpected Claims
Custom claims like roles, permissions, or tenant IDs are application-specific. If your API expects a claim that is not present in the token, decode the token here to see exactly which claims it contains. This is often faster than debugging server logs.
JWT Security Considerations
JWT tokens are not encrypted by default. The Base64 encoding in the header and payload is not security; anyone who intercepts a token can decode it and read its contents. This is by design, as JWT relies on the signature for integrity rather than confidentiality. Never store sensitive information like passwords or credit card numbers in JWT claims.
The token payload is decoded using the same Base64 encoding that the Base64 Encoder/Decoder works with. For generating hash values used in token signatures, see the Hash Generator.
JWT Signing Algorithms
The header’s alg field specifies how the token is signed. HS256 uses a shared secret (symmetric), while RS256 uses a public/private key pair (asymmetric). RS256 is preferred for distributed systems because only the issuer needs the private key, and any service can verify tokens using the public key.
Related Tools
- Base64 Encoder/Decoder - Decode the Base64 sections of a JWT manually
- Hash Generator - Generate SHA hashes used in token signatures
- Unix Timestamp Converter - Convert exp and iat claim timestamps to dates
Frequently Asked Questions
Is it safe to paste JWT tokens into an online decoder?
This tool runs entirely in your browser and never sends your token to any server. However, JWT tokens are sensitive credentials that grant access to resources. Avoid pasting production tokens into tools that send data to external servers. Always check that the decoder operates client-side.
What is the difference between JWT decoding and verification?
Decoding simply reads the Base64-encoded header and payload without checking if the token is legitimate. Verification validates the cryptographic signature using the server's secret key or public key to confirm the token has not been tampered with. This tool decodes tokens for inspection but does not verify signatures.
Why do JWT tokens have three parts separated by dots?
The three parts are the header (algorithm and type), payload (claims and data), and signature (cryptographic proof). Each part is Base64URL-encoded. The header tells you how the token was signed, the payload contains the actual data, and the signature ensures the token has not been altered.
How do I check if a JWT token has expired?
Look at the 'exp' (expiration) claim in the payload. It contains a Unix timestamp of when the token expires. This tool automatically checks this claim against the current time and displays whether the token is valid or expired.