Should JWT contents be considered secret?

No. JWT payloads are encoded (Base64URL), not encrypted. Anyone with the token can decode and read all claims (user ID, expiration, scopes, etc.). The signature only proves the token is genuine — it doesn't hide the contents. Never put confidential data in JWT claims; only use them for non-sensitive identifiers and metadata.

What does the JWT decoder do?

It parses a JWT and decodes the header and payload from Base64URL to readable JSON. It does NOT verify the signature, since that requires the secret key. Use this tool to inspect tokens during debugging, understand what claims are issued, check token expiration, and learn JWT structure.

How do I verify a JWT signature?

Use a JWT library on the server with your secret key. Don't verify in the browser — the secret would be exposed. Server-side verification ensures the JWT hasn't been tampered with and was issued by a trusted system. Common libraries: jsonwebtoken (Node), PyJWT (Python), jjwt (Java).

What are common JWT claims?

Standard claims (RFC 7519): iss (issuer), sub (subject/user ID), aud (audience), exp (expiration unix timestamp), nbf (not before), iat (issued at), jti (unique token ID). Custom claims are added freely: roles, permissions, email, name. Convention: short names for standard claims, descriptive names for custom claims.

What are JWT signing algorithms?

HS256 (HMAC-SHA256, symmetric): same secret signs and verifies — simple but secret must stay private. RS256 (RSA-SHA256, asymmetric): private key signs, public key verifies — better for distributed systems. ES256 (ECDSA): smaller signatures than RSA. The decoder shows the algorithm but doesn't perform signature verification.

What happens when a JWT expires?

The 'exp' claim is a Unix timestamp; servers reject the token if the current time is past it. Clients must request a new token (typically via refresh token flow) once the current one expires. Best practice: short access token expirations (15-60 minutes) plus long-lived refresh tokens (days/weeks).

Is my token sent anywhere?

No. The decoder runs entirely in your browser. Your JWT never leaves your device — safe for inspecting access tokens, debugging auth flows, or examining tokens with sensitive claims.

JWT Decoder

Decode and inspect JSON Web Tokens online. Free JWT decoder that reveals header, payload, claims, and expiration details instantly.

Encoding / Decoding Developer Tools

Instant results

JWT Token

About JWT Decoder

JSON Web Tokens (JWT) are an open standard for securely transmitting information between parties as a JSON object. A JWT consists of three parts: Header, Payload, and Signature.

Security Note: Never share JWTs containing sensitive information. This tool decodes but does not verify signatures.

How to Use JWT Decoder

Paste your JWT

Paste your full JSON Web Token (the three Base64URL parts separated by dots) into the input field. Decoding happens instantly.

View decoded header

The header reveals the signing algorithm (HS256, RS256, ES256), token type (JWT), and any custom header fields. Useful for understanding how the token was signed.

Inspect payload claims

The payload shows all claims: subject (sub), expiration (exp), issued-at (iat), audience (aud), issuer (iss), plus any custom claims. Crucial for debugging authentication and authorization.

Verify expiration

Check the 'exp' claim — if it's in the past (compared to current Unix timestamp), the token has expired and servers should reject it. The decoder shows expiration status visually.

When to Use JWT Decoder

Debugging authentication flows

When JWT-based auth doesn't work as expected, decode the token to inspect: claims (correct user ID? expected scopes?), expiration (still valid?), audience (intended for this service?), issuer (from trusted source?). Common bugs: expired tokens, wrong audience, missing required scopes — all visible in the decoded payload.

Understanding third-party tokens

When integrating with auth providers (Auth0, Okta, Cognito, Firebase), decode their tokens to learn the claim structure. Different providers add custom claims with different names (cognito:groups, auth0:user_metadata, https://hasura.io/jwt/claims). Understanding the structure is essential for using token data in your application.

Verifying token expiration during testing

When writing automated tests for token-protected endpoints, decode test tokens to verify their expiration is in the future (long-lived test fixtures) or has appropriate timeouts (testing token refresh logic). Compare 'exp' claim to current time to confirm validity.

Auditing token contents for security review

Security audits require checking what data is in tokens. Sensitive data (PII, internal IDs, role definitions) shouldn't be in JWT claims since they're easily decoded. Audit production tokens to ensure no secrets are leaked through the payload.

JWT Decoder Examples

Standard JWT decoding

Input

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWxpY2UiLCJpYXQiOjE2MDAwMDAwMDB9.signature

Output

Header: {"alg":"HS256"}\nPayload: {"sub":"123","name":"Alice","iat":1600000000}

The three Base64URL parts (header, payload, signature) are split on dots. Each is decoded from Base64URL to JSON. The signature is opaque — only verifiable with the secret key on the server. The header reveals signing algorithm; the payload reveals user identity and metadata.

Detecting expired token

Input

Decoded payload: {"sub":"user_42","exp":1577836800}

Output

exp = 2020-01-01 00:00:00 UTC (EXPIRED)

The 'exp' claim is a Unix timestamp. The decoder converts it to readable date and compares to current time. This token expired in 2020 — servers should reject it. Common debugging step when seeing 401 Unauthorized errors during auth flows.

Custom claims discovery

Input

Decoded payload: {"sub":"alice","https://hasura.io/jwt/claims":{"x-hasura-default-role":"user"},"https://api.acme.com/permissions":["read","write"]}

Output

Custom claims: Hasura role, Acme permissions

Auth providers and applications add custom claims using namespaced URLs (a convention to avoid conflicts). Decoding reveals what data is being passed — useful for understanding access control logic and API permissions.

Tips & Best Practices for JWT Decoder

1.Never trust JWT claims without server-side signature verification. Anyone can craft a JWT with arbitrary claims; the signature proves it was issued by a trusted party. Verify signatures using the appropriate library and key.
2.Don't put confidential data in JWT payloads. They're encoded, not encrypted. Use opaque session IDs in JWTs that map to server-side data, or use JWE (encrypted JWT) for actual confidentiality.
3.Set short expirations on access tokens (15-60 minutes) and use refresh tokens for long-lived sessions. Stolen tokens should be useless quickly. Include 'jti' (JWT ID) for tracking and revocation if needed.
4.Standard claims (RFC 7519) have 3-letter abbreviations: iss, sub, aud, exp, nbf, iat, jti. Custom claims should use namespaced URLs to avoid conflicts with future standards or other libraries.
5.When debugging, also check the 'alg' header. None ('alg':'none') was a CVE in old libraries — they accepted unsigned tokens. Modern libraries reject 'none' but it's worth verifying. RS256 (asymmetric) is preferred for distributed systems; HS256 for single-service apps.
6.For very small tokens, consider not using JWT — opaque random tokens (UUID) referencing server-side session data have less overhead. JWT shines when you need stateless verification (no DB lookup) across multiple services.

Frequently Asked Questions

JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and authorization. A JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm; payload contains claims (data); signature verifies the token wasn't tampered with.

JWT Decoder

About JWT Decoder

How to Use JWT Decoder

Paste your JWT

View decoded header

Inspect payload claims

Verify expiration

When to Use JWT Decoder

Debugging authentication flows

Understanding third-party tokens

Verifying token expiration during testing

Auditing token contents for security review

JWT Decoder Examples

Standard JWT decoding

Detecting expired token

Custom claims discovery

Tips & Best Practices for JWT Decoder

Frequently Asked Questions

Related Tools

Base64 Decoder

URL Decoder

HTML Entity Decoder

Hex to Text

Binary to Text Converter

ROT13 Encoder/Decoder