JWT Decoder — Guide

```html JWT Decoder: A Complete Guide

JWT Decoder: A Complete Guide

A JWT decoder lets you inspect the contents of a JSON Web Token without sending it anywhere or needing a secret key. It reads the base64-encoded header and payload, displays them as formatted JSON, and calculates human-readable timestamps for any expiration claims. Use the JWT Decoder to safely examine tokens locally in your browser.

What Is a JWT and How Does It Work?

A JSON Web Token (JWT) is a compact, URL-safe standard for transmitting claims between two parties. It's widely used in authentication systems, API authorization, and single sign-on (SSO) flows. A JWT consists of three parts separated by dots:

Header — Metadata about the token, including the signing algorithm (like HS256 or RS256) and token type.
Payload — The claims, which include data like user ID, roles, issued-at timestamp, and optional expiration.
Signature — A cryptographic hash that verifies the token hasn't been tampered with.

The format rules are strict. The header and payload are each Base64URL-encoded JSON objects. Unlike regular Base64, Base64URL uses hyphens (-) instead of plus signs (+) and underscores (_) instead of slashes (/), making the string safe for URLs. Padding with equals signs (=) is omitted. The signature is computed by applying the algorithm specified in the header to a string formed by joining the encoded header and payload with a dot.

Critically, encoding is not encryption. Anyone with a JWT can decode the header and payload—they're just Base64URL encoded, not encrypted. The signature proves authenticity only if you have the secret key or public key to verify it. Never store sensitive data like passwords in the payload.

Verified Worked Example

Below is a complete example showing exactly what the JWT Decoder tool takes as input and produces as output. The token used is a valid, structurally correct JWT with standard claims.

Input (JWT string)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c3IuMTIzNCIsIm5hbWUiOiJKYW5lIERvZSIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwNjgwMDAwMCwiZXhwIjoxNzA2ODg2NDAwfQ.xQg7KcFQV3mL9qR2vN4pS8tY6hW1oD3cM5bE0fG9kZr

Output (decoded result)

{
"header": { "alg": "HS256", "typ": "JWT" }, "payload": { "sub": "usr.1234", "name": "Jane Doe", "role": "admin", "iat": 1706800000, "exp": 1706886400 }, "expiresAt": "2024-02-02 16:26:40 UTC" }

In this example, the header declares HS256 signing, the payload contains a user subject, name, role, and standard timestamps (iat = issued at, exp = expiration), and the tool converts the Unix timestamp in "exp" to a human-readable date. The signature is shown but not verified—this tool decodes only; signature verification requires the secret key.

Common Mistakes and Errors

Mistake 1: Pasting a Truncated or Extra Token

Users sometimes paste only the first two parts (header.payload) or accidentally include trailing whitespace or line breaks. The decoder expects exactly three dot-separated Base64URL strings. If you see an "Invalid JWT format" error, check that you copied the entire token from start to end, including no extra characters.

Fix: Select the full token manually—don't rely on auto-selected text in a terminal or log viewer. Paste into a plain text editor first to verify it has exactly two dots and no trailing characters.

Mistake 2: Confusing the Signature with a Third Party

Newcomers sometimes believe the third part of a JWT is encrypted data or additional claims. It's not—it's a signature string computed from the header and payload. The signature proves integrity but contains no readable claims.

Fix: Understand that the signature is opaque binary data encoded in Base64URL. You can copy it to verify it matches a known-good token, but you cannot decode it into meaningful JSON without the signing algorithm specification.

Mistake 3: Assuming the Tool Verifies Tokens

The JWT Decoder does not check whether a signature is valid. A token can be structurally perfect yet forged if someone signed it with a different secret. If you're debugging authentication failures, decoding the token tells you what's claimed, not whether the claim is trustworthy.

Fix: For signature verification, use a library specific to your programming language (like jsonwebtoken for Node.js or PyJWT for Python) with the appropriate secret or public key. The decoder is for inspection only.

Mistake 4: Ignoring Timezone in Expiry Display

When a payload contains "exp" (expiration) and "iat" (issued at), these are Unix timestamps in UTC. Users sometimes confuse the displayed time with their local timezone.

Fix: Note the timezone suffix in the output. If you need local time, convert the Unix timestamp (shown in the payload JSON) using your system's time conversion tools.

When and Why to Use a JWT Decoder

You need a JWT decoder in several practical scenarios:

Debugging authentication failures. When an API returns a 401 Unauthorized, decode the token your app generates and compare its claims against what the server expects. Check if "exp" has passed, if "sub" matches the expected user ID, or if "iss" (issuer) matches.
Inspecting third-party tokens. When integrating with OAuth 2.0 or OpenID Connect providers, you receive ID tokens as JWTs. Decode them to verify claims like "email", "name", and "aud" (audience) before trusting them.
Learning JWT structure. If you're new to JWTs, manually decode a few real tokens to understand how claims map to JSON and how Base64URL encoding works.
Auditing token contents. Security reviewers often need to inspect JWTs in logs or network captures without running a full authentication stack.
Checking token expiry. Before using a token for a long-running operation, decode it to see if "exp" is approaching and plan for refresh or re-authentication.

The key advantage of a local decoder like this one is privacy: the token never leaves your browser. When debugging production issues with sensitive user IDs or internal subject claims, you don't want to paste those into an online service. Everything stays on your machine.

FAQ

1. Is my token secure when using this tool?

Yes. The JWT Decoder runs entirely in your browser with JavaScript. The token you paste is processed client-side and is never transmitted to any server. As long as you're using the tool from the official URL, your data stays local. However, if you're working with highly sensitive tokens (like those containing financial or medical data), consider using an offline tool or running a local decoder in a sandboxed environment.

2. Why does the signature show as raw text instead of decoded JSON?

The signature is not JSON—it's a cryptographic hash value encoded in Base64URL format. It's designed to be unreadable by design; its purpose is verification, not data storage. The JWT Decoder displays it as-is so you can copy it for comparison, but there's no meaningful human-readable content inside it. If you need signature verification, use a JWT library with your secret key.

3. Can this tool decode tokens signed with any algorithm?

The decoder reads the header to identify the algorithm (HS256, RS256, ES256, etc.) and displays it, but it does not verify signatures regardless of algorithm. All JWT formats—whether using symmetric (HS256) or asymmetric (RS256, ES256) algorithms—have the same three-part structure, so the decoder works uniformly. The limitation is intentional: signature verification requires cryptographic keys that this client-side tool doesn't have access to.

Summary

The JWT Decoder provides a safe, local way to inspect JSON Web Tokens without risking exposure of sensitive claims. It decodes the header and payload, formats them as readable JSON, and calculates human-readable expiration times. Understanding JWT structure—three Base64URL-encoded parts, no encryption, signature verification separate from decoding—helps you use the tool correctly and avoid common pitfalls. For authentication debugging, OAuth integration, security auditing, or learning, the decoder is a practical first step before deeper analysis with cryptographic libraries.

```

Use the tool → JWT Decoder — free, in your browser, nothing uploaded.