JWT Decoder

Decode & Inspect JSON Web Tokens Online

Decode Your Token

What is JWT Decoder?

A JWT (JSON Web Token) decoder is an essential developer tool for inspecting the contents of authentication tokens. JWTs are widely used in modern web applications for stateless authentication and information exchange between parties.

This online JWT decoder allows you to instantly decode and inspect any JWT token without sending it to any server. All processing happens locally in your browser, ensuring your sensitive tokens never leave your device.

JWT Structure Explained

A JWT consists of three parts separated by dots (.):

  • Header: Contains metadata about the token, including the algorithm used for signing (e.g., HS256, RS256)
  • Payload: Contains the claims - user data, expiration time, issuer, and other business logic information
  • Signature: Ensures the token hasn't been tampered with - created by hashing header + payload with a secret key

The three parts are Base64URL-encoded and combined with dots. Unlike encryption, JWT encoding is not encryption - anyone can decode the header and payload to read the data.

Common JWT Claims

iss (Issuer) {"iss": "https://auth.example.com"} Identifies who issued this token
sub (Subject) {"sub": "user123"} Identifies the subject (usually user ID)
aud (Audience) {"aud": "my-app"} Identifies who the token is intended for
exp (Expiration) {"exp": 1516239022} Unix timestamp when token expires
iat (Issued At) {"iat": 1516239022} Unix timestamp when token was created

JWT vs Session Authentication

Traditional session-based authentication stores user state on the server. JWTs are stateless - all user information is embedded in the token itself. This makes JWTs ideal for distributed systems and microservices architecture where multiple servers need to authenticate users without sharing session state.

However, JWTs have trade-offs. Once issued, a JWT cannot be revoked until it expires. For logout functionality, you need to implement token blacklist or use short expiration times with refresh tokens.

Security Considerations

  • Never expose sensitive data in JWT payload - The payload is Base64 encoded, not encrypted. Anyone can read it by decoding the token.
  • Use short expiration times - Set exp claims to appropriate intervals (15 minutes to 1 hour typically)
  • Use strong signing algorithms - RS256 is preferred over HS256 for most applications
  • Validate all claims - Always check issuer, audience, and expiration on every request
  • Keep secrets secure - Never commit API secrets to version control

Real-World Use Cases

  • Debug Authentication Issues: When login fails, decode the token to see if it's malformed, expired, or contains wrong claims
  • Inspect OAuth Tokens: Verify that OAuth providers include correct scopes and audiences in issued tokens
  • Learn JWT Structure: Developers new to JWTs can use this tool to understand how tokens are structured
  • Verify Token Claims: Check if user ID, roles, or permissions are correctly embedded before debugging authorization logic
  • API Development: When building APIs that accept JWTs, test token parsing before integrating with your backend

Frequently Asked Questions

Is my JWT token sent to a server?

No. This JWT decoder works entirely in your browser using JavaScript. Your token is decoded locally and never transmitted to any server. You can verify this by using the tool offline or checking your browser's network tab.

What's the difference between encoding and encryption?

JWTs use Base64URL encoding, which is reversible - anyone can decode a JWT to read its contents. JWTs are signed to detect tampering, but they are not encrypted. Never put sensitive data like passwords or credit card numbers in a JWT payload.

Why is my JWT showing as invalid?

A JWT has three parts separated by dots. If any part is missing or malformed, the token is invalid. Common causes: extra whitespace, missing dots, non-Base64URL characters, or corrupted encoding. Copy and paste carefully from the source.

What does "Invalid token format" mean?

This means the token doesn't have the expected three-part structure (header.payload.signature). JWTs should look like three Base64URL strings separated by dots, like: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.signature

How do I decode a JWT without a library?

You can manually decode a JWT by splitting on the dot character, then Base64URL decoding each part. In JavaScript: atob(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')). The header and payload decode to JSON objects you can inspect.

Can I modify a JWT and re-encode it?

You can re-encode a modified JWT, but the signature will become invalid. Recipients verify the signature using the original secret key. Without the correct secret, a modified token will be rejected. This signature mechanism is what makes JWTs secure against tampering.

Related Tools