Paste JWT to decode. Header and Payload shown as JSON. No signature verification. Do not paste production tokens.

JWT Token Decode | Dev Tools

What is a JWT (JSON Web Token)? The Mechanics of Decoding

JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is widely used for stateless authentication and secure information exchange across modern web applications.

The 3 Structural Components of a JWT

A JWT string consists of three parts separated by dots (.), which are Base64Url encoded.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.

2. Payload (Claims)

Contains the statements (claims) about an entity (typically, the user) and additional data. Common claims include the user identifier (sub) and expiration time (exp). Warning: The payload is merely encoded, NOT encrypted. Never place passwords or sensitive secrets here.

3. Signature

Generated using the encoded header, the encoded payload, a secret, and the algorithm specified in the header. The signature is used to verify the message wasn't changed along the way.

Why Can Anyone Decode My JWT?

As highlighted above, the Header and Payload are only Base64Url encoded. They are completely transparent to anyone who intercepts the token. Encoding is merely a way of altering the data format, unlike encryption, which requires a cryptographic key to read the data. This is exactly how this very tool can display your token's internal payload without needing your server's secret keys.

How to Decode JWTs in Code

If you need to peek at the payload within your codebase without performing complete signature validation, you can do so manually:

Node.js / Vanilla JavaScript

const token = "eyJhbG...";
const [header, payload, signature] = token.split('.');
// Decode base64 URL to string, then parse the JSON
const decodedPayload = JSON.parse(Buffer.from(payload, 'base64').toString('utf8'));
console.log(decodedPayload);

Security Best Practice: Client-Side Only Decoding

Pasting a production authorization token into a random online decoder is highly risky. If the third-party server logs your token, they effectively gain full access to your user's account until the token expires.

Our JWT Decoder tool is built entirely as a 100% Client-Side application. We utilize JavaScript entirely within your browser to parse the JWT strings. No payloads, signatures, or tokens ever leave your local machine or are transmitted to our servers.

Usage

Paste JWT in the input field
Click decode to show Header and Payload as JSON
Check exp, sub, aud claims. No signature verification

When to use

API auth debugging, checking token expiry/claims, OAuth/OIDC verification.

Examples

Paste eyJhbGciOiJIUzI1NiIs... to view Header/Payload. Check exp, sub, aud claims.

FAQ

What is JWT?

JSON Web Token. Token format for API auth and OAuth 2.0. Header.Payload.Signature, Base64URL encoded.

Structure of JWT?

Header.Payload.Signature. Header=algorithm, Payload=claims (exp, sub, aud), Signature=signature.

What is exp in JWT?

Expiration. Unix timestamp when token expires. Decode to check.

Where is JWT used?

API auth, OAuth 2.0, OpenID Connect, microservice auth. Stateless, scalable.

Related tools

Dev & Security Set

Tools

Tool interface

Signature Verification