How to Decode and Read JWT Tokens (JSON Web Token Guide)

What is a JWT?

A JSON Web Token (JWT, often pronounced 'jot') is a compact, URL-safe way to represent claims between two parties. JWTs are the backbone of modern authentication — every time you log into a web app, the server typically issues a JWT that proves your identity for subsequent requests.

A JWT is just a string with three parts separated by dots: xxxxx.yyyyy.zzzzz. Each part is Base64URL-encoded JSON or binary data. The structure is intentionally simple so that JWTs work everywhere: HTTP headers, cookies, URL parameters, and mobile apps.

Anatomy of a JWT: Header, Payload, Signature

When to Decode JWTs

Developers decode JWTs constantly. Common scenarios include:

• Debugging authentication — Why is my API returning 401?
• Inspecting expiration — When does this token expire?
• Checking user claims — What permissions does this token have?
• Verifying token format — Is the issuer correct?
• API testing — What data is the server sending in the token?
• Learning — Understanding what backend libraries actually generate

How to Use Our JWT Decoder Safely

Most online JWT decoders send your token to their server. That is a problem if your token is for production, since anyone with the token can impersonate the user. Our JWT decoder runs entirely in your browser:

• Paste the JWT into the input box
• Click 'Decode' to instantly see the header, payload, and signature
• Timestamp claims (iat, exp, nbf) are automatically converted to readable dates
• Expired tokens are flagged in red

The token never leaves your browser, so even production tokens with sensitive claims are safe to inspect.

Standard JWT Claims Explained

• iss — Issuer. Who created the token (often a URL like https://auth.example.com).
• sub — Subject. Who the token is about (typically a user ID).
• aud — Audience. Who the token is intended for (your API).
• exp — Expiration time (Unix timestamp). Token is invalid after this.
• nbf — Not Before. Token is invalid before this timestamp.
• iat — Issued At. When the token was created.
• jti — JWT ID. Unique identifier for the token (used for revocation).

JWT Security: What Decoding Does and Does Not Prove

Decoding a JWT shows you what is inside. It does NOT verify that the token is valid. Anyone can craft a JWT with any payload — only the signature, when verified with the secret key, proves authenticity.

This is why client-side JavaScript should never trust JWT contents for authorization decisions. Always verify the signature on the server using the secret/public key. Decoding is for inspection and debugging only.

Common JWT Best Practices

• Use HTTPS exclusively — JWTs in plaintext can be stolen by anyone on the network
• Set short expirations — 15-60 minutes for access tokens, longer for refresh tokens
• Use HS256 with strong secrets, or RS256/ES256 for asymmetric verification
• Never store JWTs in localStorage if XSS is a concern; use httpOnly cookies
• Keep payloads small — JWTs are sent on every request and bloat headers
• Implement token revocation via short expirations and a revocation list (jti)

Final Thoughts

JWTs are deceptively simple — three Base64-encoded segments separated by dots — but they power authentication for the modern web. Whether you are debugging a 401 error, inspecting a token's claims, or just learning how auth works, having a fast and private JWT decoder in your toolkit is essential. Our tool decodes JWTs instantly in your browser, validates the structure, and highlights expiration dates so you can debug auth issues in seconds without leaking sensitive tokens to a third party.

Frequently Asked Questions