JWT Decoder

Frequently Asked Questions

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information as a JSON object. It has three Base64URL-encoded parts separated by dots: Header (algorithm & token type), Payload (claims), and Signature. The signature is created using the chosen algorithm and a secret key held by the server.

No. The payload is only Base64URL-encoded, not encrypted. Anyone who holds the token can decode and read the claims. Never store sensitive data (passwords, credit card numbers) in a JWT payload unless you use JWE (JSON Web Encryption). The signature only proves the token hasn't been tampered with — it does not provide confidentiality.

How JWT Decoding Works

A JSON Web Token is three Base64URL-encoded segments joined by dots. Decoding is pure client-side — no network request is needed.

Split on Dots

The token is split at each . character into exactly 3 parts: the header, the payload, and the signature. A valid JWT always has exactly 2 dots — any other count is immediately rejected.

Base64URL Decode

Each part uses Base64URL encoding: - replaces + and _ replaces /, with = padding omitted. The header and payload are decoded to UTF-8 JSON strings and parsed.

Interpret Claims

Standard claims (exp, iat, nbf, sub, iss, aud) are recognized and displayed with human-readable labels. Unix timestamps are converted to readable date strings.

No verification: This tool only decodes. The signature is shown raw but is not verified. Never trust JWT claims in production without server-side signature verification using the correct secret or public key.

Common Use Cases

Auth Flow Debugging

When building or debugging OAuth 2.0, OpenID Connect, or custom JWT auth, paste the access or ID token here to instantly inspect the algorithm, issuer, audience, expiry, and all custom claims.

Token Expiry Check

The tool shows a live expiry countdown from the exp claim. Useful when a user reports intermittent 401 errors — quickly see if the token is about to expire or has already expired.

User Claim Inspection

OpenID Connect ID tokens include user information such as email, name, roles, and groups. Decode the token to verify the correct claims are present after a login flow.

Verifying Token Structure

Before implementing JWT verification in a new language or framework, check that the token's alg header matches the expected algorithm (e.g., RS256 vs HS256) to avoid algorithm confusion vulnerabilities.

Third-Party Token Review

Third-party services (AWS Cognito, Auth0, Firebase, Okta) issue JWTs for their APIs. Decode them to understand the payload structure before building an integration, without needing their SDK.

Learning JWT Internals

Use the tool together with the Base64 Encoder/Decoder to manually decode a JWT segment-by-segment and understand exactly how the format works at the byte level.