JSON Web Tokens (JWTs) are everywhere — OAuth flows, API authentication, session management. But when debugging an auth issue, you often need to peek inside a token to see what claims it carries.
What Is a JWT?
A JWT is a compact, URL-safe string made of three Base64URL-encoded parts separated by dots:
header.payload.signature- Header: Token type and signing algorithm (e.g.,
{"alg":"HS256","typ":"JWT"}) - Payload: Claims — user ID, expiry, roles, custom data
- Signature: Cryptographic proof the token wasn't tampered with
How to Decode a JWT Online
Paste any JWT into the JWT Decoder to instantly see:
- The decoded header and payload as formatted JSON
- The expiry time (
expclaim) in human-readable format - Whether the token is expired
- All standard claims (
iss,sub,aud, etc.)
The decoder runs entirely in your browser — your JWT never leaves your device. This is important because JWTs can contain sensitive user data.
Decoding a JWT Manually
Each part of a JWT is Base64URL encoded. To decode manually:
- Split the token on the
.character - Take the first (header) or second (payload) part
- Replace
-with+and_with/(Base64URL → Base64) - Decode from Base64 — you'll get a JSON string
Use the Base64 Decoder if you want to decode a JWT part manually.
What JWT Decoding Doesn't Do
Decoding is not the same as verification. Decoding just reads the payload — it doesn't check the signature. Anyone can decode a JWT without the secret key. That's fine for debugging, but your server must always verify the signature before trusting the claims.
Common JWT Claims to Check
exp— expiry timestamp (Unix seconds)iat— issued-at timestampsub— subject (usually user ID)iss— issuer (which service issued the token)aud— audience (which service should accept it)