Developer Tools·2026-05-23·5 min read

JWT Decoder: How to Decode and Inspect JSON Web Tokens

Learn to decode JSON Web Tokens, inspect header and payload claims, verify signatures, and debug authentication issues with our free JWT decoder.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Three parts, separated by dots. Each part is Base64URL-encoded JSON.

The Three Parts of a JWT

1. Header

Contains the algorithm and token type:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

Contains claims — statements about the user and additional metadata:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622,
  "iss": "https://auth.example.com",
  "aud": "https://api.example.com"
}

3. Signature

A cryptographic hash that verifies the token hasn't been tampered with. Created by combining the header and payload with a secret key:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Common JWT Claims

Claim	Full Name	Purpose	Example
`sub`	Subject	User identifier	`"user_123"`
`iss`	Issuer	Who issued the token	`"https://auth.example.com"`
`aud`	Audience	Intended recipient	`"https://api.example.com"`
`exp`	Expiration	When it expires (Unix timestamp)	`1716451200`
`nbf`	Not Before	When it becomes valid	`1716364800`
`iat`	Issued At	When it was issued	`1716278400`
`jti`	JWT ID	Unique identifier (prevents replay)	`"abc123"`

How to Decode a JWT

Using ToolboxPro

Visit our JWT Decoder and:

1. Paste your JWT into the input field

2. Instantly see the decoded header and payload as formatted JSON

3. Check expiration — the tool shows if the token is still valid

4. Verify the signature — enter your secret to confirm authenticity

Manual Decoding

JWTs are NOT encrypted — they're encoded. Anyone can read them:

function decodeJWT(token) {
  const parts = token.split('.');
  const header = JSON.parse(atob(parts[0]));
  const payload = JSON.parse(atob(parts[1]));
  return { header, payload };
}

const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.";
const decoded = decodeJWT(token);
console.log(decoded);

Common JWT Vulnerabilities

1. "none" Algorithm Attack

Some JWT libraries accept tokens with "alg": "none", meaning no signature is required. Attackers can modify the payload and set the algorithm to "none".

Fix: Always reject tokens with no algorithm or algorithm "none".

2. Algorithm Confusion (RS256 vs HS256)

If your server expects RS256 (asymmetric) but accepts HS256 (symmetric), an attacker can use the public key as the HMAC secret to forge tokens.

Fix: Explicitly validate the algorithm against an allowlist.

3. Weak Secret Key

A weak HMAC secret can be brute-forced offline. If the secret is leaked, anyone can forge valid tokens.

Fix: Use a long, random secret (at least 256 bits for HS256).

4. Token Not Expired

Tokens with extremely long expiration (years) or no exp claim at all are risky. A leaked token works forever.

Fix: Short expiration times (15-30 minutes for access tokens, days for refresh tokens).

JWT Best Practices

// Store JWTs securely
// ❌ localStorage — vulnerable to XSS
// ❌ sessionStorage — lost on tab close
// ✅ HttpOnly Secure SameSite cookies — best for SPAs
// ✅ In-memory variable with refresh token in cookie

// Validate on every request
function verifyToken(token) {
  try {
    const decoded = jwt.verify(token, SECRET, {
      algorithms: ['HS256'],
      issuer: 'https://auth.example.com',
      audience: 'https://api.example.com',
      maxAge: '15m'
    });
    return decoded;
  } catch (err) {
    // Token is invalid or expired
    return null;
  }
}

FAQ

Is JWT secure? JWT is secure when implemented correctly. The token itself can be read by anyone (it's base64-encoded, not encrypted). The security comes from the signature — without the secret key, nobody can forge a valid token.

Should I store sensitive data in a JWT? No. JWTs are encoded, not encrypted. Anyone with the token can decode the payload. Store only non-sensitive identifiers (user ID, role, permissions).

What's the difference between JWT and JWS? JWT is the standard. JWS (JSON Web Signature) is the signed variant. Most people use "JWT" to mean "signed JWT" (JWS).

How do I refresh a JWT? Use a two-token system: a short-lived access token (15 min) and a long-lived refresh token (7 days) stored securely. When the access token expires, use the refresh token to get a new one.

Does our tool store JWTs? No. Your token is decoded entirely in your browser. It never reaches our servers.

Try it yourself with our free online tool:

Try JWT Decoder: How to Decode and Inspect JSON Web Tokens →

Developer Tools·2026-05-23·5 min read

JWT Decoder: How to Decode and Inspect JSON Web Tokens

Learn to decode JSON Web Tokens, inspect header and payload claims, verify signatures, and debug authentication issues with our free JWT decoder.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Three parts, separated by dots. Each part is Base64URL-encoded JSON.

The Three Parts of a JWT

1. Header

Contains the algorithm and token type:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

Contains claims — statements about the user and additional metadata:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622,
  "iss": "https://auth.example.com",
  "aud": "https://api.example.com"
}

3. Signature

A cryptographic hash that verifies the token hasn't been tampered with. Created by combining the header and payload with a secret key:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Common JWT Claims

Claim	Full Name	Purpose	Example
`sub`	Subject	User identifier	`"user_123"`
`iss`	Issuer	Who issued the token	`"https://auth.example.com"`
`aud`	Audience	Intended recipient	`"https://api.example.com"`
`exp`	Expiration	When it expires (Unix timestamp)	`1716451200`
`nbf`	Not Before	When it becomes valid	`1716364800`
`iat`	Issued At	When it was issued	`1716278400`
`jti`	JWT ID	Unique identifier (prevents replay)	`"abc123"`

How to Decode a JWT

Using ToolboxPro

Visit our JWT Decoder and:

1. Paste your JWT into the input field

2. Instantly see the decoded header and payload as formatted JSON

3. Check expiration — the tool shows if the token is still valid

4. Verify the signature — enter your secret to confirm authenticity

Manual Decoding

JWTs are NOT encrypted — they're encoded. Anyone can read them:

function decodeJWT(token) {
  const parts = token.split('.');
  const header = JSON.parse(atob(parts[0]));
  const payload = JSON.parse(atob(parts[1]));
  return { header, payload };
}

const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.";
const decoded = decodeJWT(token);
console.log(decoded);

Common JWT Vulnerabilities

1. "none" Algorithm Attack

Some JWT libraries accept tokens with "alg": "none", meaning no signature is required. Attackers can modify the payload and set the algorithm to "none".

Fix: Always reject tokens with no algorithm or algorithm "none".

2. Algorithm Confusion (RS256 vs HS256)

If your server expects RS256 (asymmetric) but accepts HS256 (symmetric), an attacker can use the public key as the HMAC secret to forge tokens.

Fix: Explicitly validate the algorithm against an allowlist.

3. Weak Secret Key

A weak HMAC secret can be brute-forced offline. If the secret is leaked, anyone can forge valid tokens.

Fix: Use a long, random secret (at least 256 bits for HS256).

4. Token Not Expired

Tokens with extremely long expiration (years) or no exp claim at all are risky. A leaked token works forever.

Fix: Short expiration times (15-30 minutes for access tokens, days for refresh tokens).

JWT Best Practices

// Store JWTs securely
// ❌ localStorage — vulnerable to XSS
// ❌ sessionStorage — lost on tab close
// ✅ HttpOnly Secure SameSite cookies — best for SPAs
// ✅ In-memory variable with refresh token in cookie

// Validate on every request
function verifyToken(token) {
  try {
    const decoded = jwt.verify(token, SECRET, {
      algorithms: ['HS256'],
      issuer: 'https://auth.example.com',
      audience: 'https://api.example.com',
      maxAge: '15m'
    });
    return decoded;
  } catch (err) {
    // Token is invalid or expired
    return null;
  }
}

FAQ

Should I store sensitive data in a JWT? No. JWTs are encoded, not encrypted. Anyone with the token can decode the payload. Store only non-sensitive identifiers (user ID, role, permissions).

What's the difference between JWT and JWS? JWT is the standard. JWS (JSON Web Signature) is the signed variant. Most people use "JWT" to mean "signed JWT" (JWS).

Does our tool store JWTs? No. Your token is decoded entirely in your browser. It never reaches our servers.

Try it yourself with our free online tool:

Try JWT Decoder: How to Decode and Inspect JSON Web Tokens →

JWT Decoder: How to Decode and Inspect JSON Web Tokens

What is a JWT?

The Three Parts of a JWT

1. Header

2. Payload

3. Signature

Common JWT Claims

How to Decode a JWT

Using ToolboxPro

Manual Decoding

Common JWT Vulnerabilities

1. "none" Algorithm Attack

2. Algorithm Confusion (RS256 vs HS256)

3. Weak Secret Key

4. Token Not Expired

JWT Best Practices

FAQ

More Articles

JWT Decoder: How to Decode and Inspect JSON Web Tokens

What is a JWT?

The Three Parts of a JWT

1. Header

2. Payload

3. Signature

Common JWT Claims

How to Decode a JWT

Using ToolboxPro

Manual Decoding

Common JWT Vulnerabilities

1. "none" Algorithm Attack

2. Algorithm Confusion (RS256 vs HS256)

3. Weak Secret Key

4. Token Not Expired

JWT Best Practices

FAQ

More Articles