JWT Decoder – Decode & Inspect JSON Web Tokens

Paste your JWT below to decode its contents instantly. Everything happens 100% in your browser.

HEADER: ALGORITHM & TOKEN TYPE
PAYLOAD: DATA
SIGNATURE
The Complete Guide to JSON Web Tokens (JWT) Decoding
JSON Web Tokens, or JWTs, have become the standard for securely sharing information between a client and a server. If you've ever built a modern web application, you've likely used them for authentication. But while they look like a random jumble of characters, they are actually structured, base64-encoded objects. This tool is designed to help you peek inside those tokens, understand their structure, and debug your implementation without ever sending your data to a third-party server.
How to Decode a JWT Manually?
Using an online decoder is the fastest way, but it's important to understand what's happening under the hood. To decode a JWT, you follow these steps:
  1. Identify the parts: A JWT is composed of three strings separated by dots: Header.Payload.Signature.
  2. Base64Url Decoding: Take the first part (the Header) and the second part (the Payload) and decode them using a Base64Url algorithm. Note that this is slightly different from standard Base64 as it replaces + with - and / with _.
  3. JSON Parsing: Once decoded, you'll have two JSON strings. You can then parse these into objects to read the claims and algorithm details.
Developer Tip: Decoding a JWT is not the same as validating it. Anyone can decode a token, but only someone with the secret key can verify that the signature is valid.
Anatomy of a JWT
A JWT isn't just a random string; it’s a carefully crafted object. Let’s break down the three sections you see in our decoder results:
1. The Header
The header tells the recipient how to handle the token. It usually contains two fields:
  • alg: The signing algorithm being used, such as HS256 (HMAC SHA256) or RS256 (RSA Signature with SHA256).
  • typ: The type of token, which is almost always "JWT".
2. The Payload (Claims)
This is the meat of the token. It contains "claims," which are statements about the user and additional technical metadata. There are three types of claims:
  • Registered Claims: These are pre-defined claims like iss (issuer), exp (expiration time), sub (subject), and aud (audience).
  • Public Claims: These can be defined at will by those using JWTs, but should be collision-resistant.
  • Private Claims: Custom claims created to share information between parties that agree on using them (like user_id or role).
3. The Signature
The signature is created by taking the encoded header, the encoded payload, a secret, and the algorithm specified in the header. It’s used to verify that the sender is who they say they are and to ensure that the message wasn’t changed along the way.
Real-World Use Cases for JWTs
Why are JWTs so popular? Here are the most common scenarios where you'll encounter them:
Authentication
The most common use case. Once a user logs in, each subsequent request will include the JWT, allowing the user to access routes and resources that are permitted with that token.
Information Exchange
JWTs are a great way of securely transmitting information between parties. Because they can be signed, you can be sure that the senders are who they say they are.
Security Best Practices for Developers
Using JWTs incorrectly can lead to serious security vulnerabilities. If you're implementing JWT auth, keep these rules in mind:
  • Never put sensitive data in the payload: Remember, the payload is only base64 encoded, not encrypted. Anyone who sees the token can read the data inside. Don't store passwords, credit card numbers, or internal PII here.
  • Validate the 'alg' claim: Never trust the algorithm specified in the header blindly. An attacker could change RS256 to none to bypass signature verification if your backend isn't properly configured.
  • Always check the 'exp' claim: Tokens should be short-lived. Always verify the expiration time on the server to prevent re-use of old tokens.
  • Use HTTPS: Since the token is sent in the header of every request, use TLS/SSL to prevent man-in-the-middle attacks from intercepting the token.
How to Decode JWT in Your Code
While we have this handy tool, sometimes you need to do this programmatically. Here are some quick snippets:
JavaScript (Node.js/Browser)
const base64Url = token.split('.')[1];
const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
const jsonPayload = decodeURIComponent(atob(base64).split('').map(function(c) {
    return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
}).join(''));

console.log(JSON.parse(jsonPayload));
Python
import base64
import json

payload = token.split('.')[1]
# Fix padding
payload += '=' * (4 - len(payload) % 4)
decoded = base64.urlsafe_b64decode(payload)
print(json.loads(decoded))
Frequently Asked Questions
Yes. Our JWT decoder runs entirely on the client side (in your browser). Your token is never uploaded to our servers, logged, or stored. You can even check the network tab in your developer tools to verify that no requests containing your token are being sent.
Base64Url is a variant of Base64 that makes the resulting string safe to use in URLs. It replaces characters like `+` and `/` (which have special meanings in URLs) with `-` and `_`, and typically removes the `=` padding character at the end.
The signature is a cryptographic hash, not a JSON object. It doesn't contain "readable" data. Its purpose is purely for validation—comparing it against a locally generated hash to ensure the token's integrity.
Currently, this tool is a dedicated decoder. It is designed for inspection and debugging. For creating or re-signing tokens, you would need to provide a secret key, which is outside the scope of this privacy-focused decoder.
The most common claims are: iss (The issuer of the token), sub (The subject, usually the user ID), aud (The intended audience), exp (Expiration time in Unix timestamp), and iat (The time the token was issued).
Need more developer tools? Check out our Hash Generator, Base64 Converter, and Unix Timestamp Converter.