🎫 JWT Decoder

Decode the JWT token to check the header, payload, and signature.

Usage and Application Examples

  • Check the payload contents of the JWT token received from the API
  • Quickly check authentication token expiration date (exp) and user information
  • Isolate and verify each section of JWT (header/payload/signature) during debugging
  • Verify contents of tokens issued in OAuth authentication flow

What is JWT Decoder?

A JWT (JSON Web Token) decoder is a tool that breaks down a token into its three components—header, payload, and signature—allowing developers to inspect the data encoded inside without executing code. JWTs are compact, self-contained credentials used across web APIs, mobile apps, and microservices for authentication and session management. Unlike passwords stored on a server, JWTs bundle user identity and permissions into a single string, enabling stateless authentication where the server doesn't need to look up session data on every request. A JWT decoder reveals what information is packed into the token, when it expires, and whether the signature is valid, making it invaluable for debugging authentication failures and verifying token structure.

How to Use

To decode a JWT, paste your full token string into the decoder's input field. The token looks like three base64-encoded segments separated by dots: header.payload.signature. Once pasted, click Decode and the tool immediately displays three sections: the header (showing the algorithm used, typically HS256 or RS256), the payload (revealing the actual data like user ID, email, role, and expiration time), and the signature (which allows you to verify the token wasn't tampered with). If you want to verify the signature, select the algorithm from the dropdown, enter your secret key if using HMAC, and the tool checks whether the signature is valid. Many decoders also show expiration time in both UTC format and human-readable form, plus a countdown of how many seconds remain before the token expires.

Use Cases

A backend developer debugging a 401 Unauthorized error in their Node.js API quickly pastes the incoming token into the decoder, discovers the token expired three hours ago, and realizes the client-side token refresh logic isn't triggering correctly. A security engineer conducting a penetration test decodes tokens from a web application, checks if the payload contains sensitive data that should be encrypted further, and verifies that user roles and permissions are correctly encoded. A DevOps engineer managing microservices needs to confirm that a token issued by the authentication service contains the required claims (like user ID and service scope) that downstream services expect, spotting a misconfigured issuer claim that's breaking service-to-service calls. A mobile app developer testing token expiration logic decodes the token returned from their server, confirms the expiration matches what they configured (e.g., 24 hours), and adjusts the token refresh interval accordingly.

Common Mistakes & Solutions

Users often paste only the token payload or header instead of the complete token string, causing the decoder to fail or show Invalid token errors. Always ensure you're copying the entire token from the Authorization header, including all three segments separated by periods. Another mistake is assuming a decoded token is secure because it's encoded—JWTs are encoded, not encrypted, so anyone with the token can read the payload. Never include passwords, credit card numbers, or other highly sensitive data in the JWT payload; store only public identifiers like user ID and role. A third pitfall is forgetting that decoding without a valid secret key can't verify the signature, so you might think a token is genuine when it's actually forged.

Tips & Insights

JWT tokens include an iss (issuer) and sub (subject) claim by convention; the issuer identifies which service created the token, and the subject identifies whom the token represents (usually the user ID). The exp (expiration) claim is crucial for security—tokens without expiration times remain valid forever, increasing vulnerability if leaked. A short expiration time like 15 minutes plus a refresh token mechanism is the industry standard for balancing security and user experience. Including standardized claims makes token validation more reliable across services, and supporting custom claims—arbitrary key-value pairs you define for your application like department or subscription_tier—lets you embed authorization data directly in the token, eliminating extra database lookups on every request.

Frequently Asked Questions

How do I use the JWT decoder?

When a JWT token is pasted, the header and payload are automatically decoded and displayed.

Can I check the expiration date of my token?

Yes. The exp (expiration date) in the payload is automatically converted to a human-readable date and time.

What is the structure of the JWT?

JWT is a string of characters consisting of a header (algorithm information), a payload (data body), and a signature, joined by a dot (.) The JWT is a string consisting of three parts: the header (algorithm information), payload (data body), and signature.

Where can I find the expiration date of my JWT?

The "exp" field in the payload portion indicates the expiration date with a Unix timestamp. When decoded by this tool, it is displayed in an easy-to-read format.

Can you verify JWT signatures?

Yes, signature verification for HMAC-based algorithms (HS256/HS384/HS512) is supported. Once the private key is entered, it is securely verified in the browser using the Web Crypto API.

Can you confirm the meaning of Claim?

Yes, standard claim descriptions such as iss (issuer), sub (subject), aud (recipient), exp (expiration date), iat (issue date), etc. will automatically appear.

Is it safe to paste my JWT token on this website?

Yes, this JWT decoder processes your token entirely in your browser without sending it to any server, so your token data remains private and secure. However, never paste production tokens with sensitive claims into any online tool unless you're confident about its security. For maximum security, decode tokens on your local machine using command-line tools or libraries.

What does each part of the JWT structure mean?

A JWT has three parts separated by dots: Header (specifies token type and hashing algorithm), Payload (contains user claims and data), and Signature (verifies the token wasn't tampered with). The signature is computed using a secret key known only to the server, ensuring the token is authentic. Decoding the first two parts is straightforward, but verifying the signature requires the original secret key.

Can I decode tokens that use different algorithms?

This decoder supports all standard JWT algorithms including HS256, HS384, HS512, RS256, RS384, RS512, and others. However, signature verification only works when you have the correct secret key or public key for that algorithm. For asymmetric algorithms like RS256, you'll need the public key to verify authenticity.

What should I do if my JWT token is expired?

You can still decode an expired token to view its payload and claims, but it won't be accepted by most systems for authentication. Depending on your application, you may be able to use a refresh token to obtain a new valid JWT. Check your application's documentation for the process to refresh or renew your authentication token.

What information should never be stored in a JWT?

Since JWT payloads are only encoded (not encrypted), never store passwords, API keys, credit card numbers, or other highly sensitive secrets in the token. Confidential information like this should be stored securely on the server side and referenced by a user ID in the token instead. Use HTTPS to protect your tokens during transmission, as they can be decoded by anyone who has access to them.

How can I verify the signature of my JWT token?

To verify a signature, you need the same secret key (for HMAC algorithms) or the issuer's public key (for RSA algorithms) that was used to sign the token. This tool will display the payload and header, but signature verification requires you to provide the key. Most JWT libraries have built-in verification methods that handle this automatically when you have the correct key.