Understanding JWTs: How to Decode and Inspect JSON Web Tokens

What Is a JSON Web Token?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format used to transmit claims between two parties. It is the de facto standard for stateless authentication in modern web applications and APIs.

When you log into a website that uses JWTs, the server verifies your credentials and returns a token. Your browser stores this token and sends it with every subsequent request — proving your identity without the server needing to look up a session in a database.

For more developer utilities, see our essential online tools for developers.

The Three Parts of a JWT

Every JWT consists of three parts separated by dots:

``

xxxxx.yyyyy.zzzzz

| | |

header payload signature

`

1. Header

The header is a JSON object that specifies the token type and the signing algorithm:

`json

{

"alg": "HS256",

"typ": "JWT"

}

`

This tells the recipient that the token is a JWT signed with HMAC-SHA256. Other common algorithms include RS256 (RSA with SHA-256) and ES256 (ECDSA with P-256).

The header JSON is Base64url-encoded to form the first part of the token.

2. Payload

The payload contains the claims — statements about the user and any additional metadata. Standard claims include:

• sub (subject) — the user ID
• iss (issuer) — who issued the token
• aud (audience) — who the token is intended for
• exp (expiration) — when the token expires (Unix timestamp)
• iat (issued at) — when the token was created
• nbf (not before) — the token is not valid before this time

Example payload:

`json

{

"sub": "1234567890",

"name": "Jane Doe",

"role": "admin",

"iat": 1709251200,

"exp": 1709337600

}

`

Like the header, the payload is Base64url-encoded. This means the claims are encoded but not encrypted — anyone with the token can decode and read them.

3. Signature

The signature ensures the token has not been tampered with. It is created by taking the encoded header, the encoded payload, a secret key (or private key), and the algorithm specified in the header:

`

HMACSHA256(

base64UrlEncode(header) + "." + base64UrlEncode(payload),

secret

)

`

When the server receives a JWT, it recomputes the signature using its secret key and compares it to the signature in the token. If they match, the token is authentic and has not been modified.

How to Decode a JWT

Using an Online Decoder

The fastest way to inspect a JWT is to paste it into the JWT Decoder. The tool splits the token into its three parts, decodes the Base64url-encoded header and payload, and displays the JSON in a readable format. It also checks whether the token has expired based on the exp claim.

Since JWTs use Base64url encoding, you could technically decode them with any Base64 Encoder/Decoder — but a dedicated JWT tool is faster because it handles the dot-splitting, URL-safe variant, and claim interpretation automatically.

Decoding Programmatically

Most languages have JWT libraries that handle decoding and verification:

• JavaScript: jsonwebtoken (Node.js) or jose
• Python: PyJWT
• Java: jjwt or nimbus-jose-jwt
• Go: golang-jwt/jwt

These libraries not only decode the token but also verify the signature — which an online decoder cannot do (it does not have your secret key).

Debugging Common JWT Issues

Token Expired

The exp claim is a Unix timestamp. If the current time is past this timestamp, the token is expired and the server will reject it. Use a Timestamp Converter or the JWT Decoder to check the expiration time in a human-readable format.

Fix: Request a new token by re-authenticating, or implement a refresh-token flow so the client can obtain a new access token without forcing the user to log in again.

Invalid Signature

If the signature does not match, the token was either tampered with, signed with a different key, or signed with a different algorithm than the server expects.

Fix: Ensure the signing key is consistent between the issuer and the verifier. Check that both sides agree on the algorithm (HS256 vs. RS256, for example).

Missing Claims

Some servers require specific claims (aud, iss`) to be present. If they are missing or have unexpected values, authentication fails even though the signature is valid.

Fix: Inspect the decoded payload to verify that all required claims are present and have the correct values.

Clock Skew

If the server's clock is slightly ahead of the issuer's clock, a token that was just issued might appear expired. Most JWT libraries accept a small clock-skew tolerance (usually 30-60 seconds).

Fix: Configure a reasonable clock-skew tolerance in your JWT verification settings, and keep server clocks synchronized with NTP.

Security Considerations

• Never store sensitive data in the payload. JWTs are encoded, not encrypted. Anyone with the token can read the claims.
• Always verify the signature server-side. Decoding without verification means you are trusting unverified data.
• Use short expiration times. Access tokens should expire in minutes, not days. Use refresh tokens for long-lived sessions.
• Transmit JWTs over HTTPS only. A JWT intercepted over plain HTTP gives the attacker full access to the user's session.

Inspecting JWT Payloads as JSON

Once you have decoded a JWT, you may want to format the payload JSON for easier reading. Paste the decoded payload into the JSON Formatter to get syntax-highlighted, properly indented output — especially useful for tokens with many custom claims.

Conclusion

JWTs are elegant in concept but opaque in practice. The JWT Decoder removes the opacity, letting you inspect headers, claims, and expiration times instantly. Pair it with the Base64 Encoder/Decoder for lower-level inspection and the JSON Formatter for readable claim payloads. For more developer tools, head back to our essential developer tools guide.

Need a faster workflow? Try the AI Resume Summary — Generate an impactful, professional summary for your resume using AI-driven analysis. Pivot your career or highlight your key strengths in seconds.

Need a faster workflow? Try the JPG to PNG — Convert your JPG images to high-quality PNG format instantly. Ideal for web designers and developers who need lossless compression and transparency.

Need a faster workflow? Try the Text Case Converter — Quickly transform your text between different capitalization styles. Supporting Title Case, Sentence case, camelCase, snake_case, and more.