JWT Decoder

Decode JSON Web Tokens (JWT) instantly and inspect headers, payload claims, and expiration with a secure browser-based JWT decoder.

JWT Input

Auto-decode

Header

Header will appear here...

Payload

Payload will appear here...

Signature

Signature will appear here...

Note: This tool only decodes the token for inspection. It does not verify the signature. Always verify the signature securely on your server to confirm the token's authenticity.

Loading Tool...

Learn About This Tool

Understanding json web tokens and structural parts

A JSON Web Token (JWT) is a compact, URL-safe data structure used to securely transmit identity claims between web systems. A standard signed token consists of three parts separated by periods (.): a Header, a Payload, and a Signature. Each segment is individually encoded using base64url formatting. To convert raw strings or inspect basic variables, use our Base64 Encoder / Decoder. Here is the typical structural representation of a token:

// Standard JWT Token Layout
header_base64url.payload_base64url.signature_base64url

// Example starting with "eyJ"
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.signature

Header defines the signing algorithm and token metadata structure
Payload contains the application claims, roles, and user permissions
Signature verifies that the token payload was not altered in transit
Periods act as strict delimiter tokens separating the segments

Decoding standard token headers

The token header contains metadata about the signature format and target content type. It is decoded from the first base64url segment to identify how the token is signed. If you want to sanitize or format header parameters during code inspections, try our JSON Formatter & Validator. Here is a typical decoded header structure:

// Decoded Header Segment JSON
{
  "alg": "HS256", // HMAC SHA-256 signing algorithm
  "typ": "JWT"    // Token type
}

Specifies the signature algorithm, such as HS256, RS256, or ES256
Defines key identifier parameters (kid) for certificate lookups
Informs validation engines how to handle cryptographic checks
Decodes natively in standard client systems without credentials

Inspecting payload claim structures

The payload represents the core claim segment containing user roles, identifier keys, and expiration limits. These parameters are decoded from the second token block. If you are formatting variable formats like camelCase or PascalCase inside API claims, use our Case Converter. Here is a typical decoded payload claim:

// Decoded Payload Segment JSON
{
  "sub": "1234567890", // Subject identifier
  "name": "Jane Doe",
  "admin": true,
  "iat": 1516239022    // Issued at timestamp
}

Subject (sub) specifies the unique user identifier attribute
Issuer (iss) verifies which security server generated the token
Audience (aud) limits which API endpoints can accept the claims
Custom scopes detail user roles and specific request rights

Verifying jwt expiration timestamps

Modern web tokens include expiration (exp) and issued at (iat) times represented as Unix epoch timestamps. Validation systems check these times to reject expired tokens. If you are converting dates or documenting code structures for developers, try our Markdown to HTML Converter. Here is how expiration is evaluated:

const expTimestamp = 1516239022; // Unix epoch format (seconds)
const isExpired = Date.now() / 1000 > expTimestamp;

if (isExpired) {
  throw new Error("Token verification failed: expired signature");
}

Expiration claim prevents replay attacks by invalidating old tokens
Not Before (nbf) claim prevents token use before a specific time
Unix timestamp coordinates are converted to local browser dates
Assists administrators in identifying expired user sessions quickly

Evaluating the signature segments

The signature is computed by hashing the encoded header and payload with a secret key or public certificate. Decoding does not require a secret key, but signature verification does. If you are debugging general cryptographic functions, you can test checksum hashes with our Hash Generator. Here is the signature logic:

/* Abstract signature verification formula */
const verification = cryptoSign(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secretKey
);

Secures token payloads against client-side modifications
Requires certificates or secret variables for validation
Calculated entirely server-side to prevent credential exposure
Indicates whether the data stream remains authentic

Handling url-safe base64url padding rules

Standard Base64 strings use characters like + and /, which can cause issues in URL paths. Base64url replaces these with - and _ respectively, and strips the trailing = padding. To encode or decode general parameters for URL structures, use our URL Encoder / Decoder. Here is the padding restoration utility in JS:

function decodeBase64Url(str) {
  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
  while (base64.length % 4) {
    base64 += "=";
  }
  return atob(base64);
}

Restores trailing padding characters before running decoding logic
Substitutes characters to avoid parsing errors in browser windows
Handles standard JSON structures cleanly without data corruption
Ensures full cross-compatibility with diverse identity frameworks

How to Use JWT Decoder

Paste your encoded token into the input console

Paste your JWT string (which typically begins with 'eyJ...') into the primary text console. Click Clear or press Ctrl+L to wipe the inputs.

Inspect the parsed token segments

The tool parses the period delimiters and decodes the segments into human-readable JSON header and payload claims instantly.

Check the signature algorithms

Look at the Header block to verify the algorithm configuration (such as HS256 or RS256) and token type.

Verify user claims and session limits

Review the Payload Claims block to verify roles, permissions, scopes, and subject user identifiers.

Convert expiration timestamps

Locate the exp (expiration) and iat (issued at) parameters to view the Unix epoch values converted to local browser dates.

Common questions

What is a JWT decoder?

A JWT decoder is an online utility that splits a JSON Web Token into its Header, Payload, and Signature components, decoding the base64url data to show the claims inside.

Is it safe to decode production API tokens using this online tool?

Yes. All token splitting and decoding operations are executed client-side in local browser memory. No data is sent over the network, ensuring complete protection for sensitive credentials.

What are the three main components of a JSON Web Token?

A token consists of a Header (identifying signing algorithms), a Payload (containing user claim scopes), and a Signature (ensuring verification integrity), separated by periods.

Why do web tokens commonly start with the character sequence 'eyJ'?

This sequence is the base64url representation of the standard header JSON string: {"alg":. Since most headers start with this key, the encoded output begins with eyJ.

Can this decoder verify the cryptographic signature of my tokens?

No. Signature verification requires the private key or public certificate used to sign the token. To keep your secrets safe, we do not ask for or store keys, and therefore do not verify signatures.

What is the difference between decoding and verifying a token?

Decoding converts the base64url segments into readable JSON without checking credentials. Verifying evaluates the signature using a cryptographic key to ensure the token has not been modified.

Why does my token return a parsing error during decoding?

Ensure that you pasted the full token, including the period separators. Mismatched spaces, missing segments, or non-standard characters can cause parsing errors.

How does the tool display epoch timestamp dates in a human-readable format?

The tool parses claims like exp (expiration) and iat (issued at), multiplies the seconds by 1000, and converts them to local system time strings.

What is the difference between Base64 and Base64URL?

Base64URL replaces characters that have special meanings in URL paths, changing + and /to - and _ respectively, and omits the trailing = padding.

Does the decoder support encrypted JSON Web Encryption (JWE) tokens?

No. This tool is designed for standard signed JSON Web Tokens (JWS). Encrypted tokens require a decryption key, which is not supported by this public tool.

What are registered claims like sub, iss, and aud?

These are standardized claims: sub identifies the subject user, iss defines the token issuer server, and aud limits the intended audience API.

How do client browsers decode tokens programmatically?

Browsers split the token by periods, select the payload segment, restore the padding, and decode it: JSON.parse(atob(payload)).

Why is signature verification important for security?

Signature verification ensures that the claims in the payload have not been tampered with by a client after the token was issued.

Can I use standard keyboard shortcuts to operate the interface?

Yes. Press Ctrl + Shift + C to copy the payload claims instantly, or Ctrl + L to clear the input fields.

What does the 'typ' property represent in a JWT header?

The typ header parameter specifies the media type of the token, which is commonly set to JWT to identify standard signed tokens.

Related tools

Popular

JSON Formatter & Validator

Popular

Format, validate, and minify JSON data instantly.

Popular

UUID Generator

Popular

Generate secure bulk v1, v4, and v7 UUIDs.

Popular

Hash Generator

Popular

Create secure MD5, SHA-256, and SHA-512 hashes.

Popular

CSV to JSON Converter

Popular

Convert CSV sheets to structured JSON arrays.

Deep Dives & Guides

Master this tool with our expert tutorials and best practices.

3 min readArticle

JWT Decoding: Understanding JSON Web Tokens Safely

A comprehensive guide on what JSON Web Tokens are, how they are structured, and how to safely decode them for debugging. Includes a security checklist for authentication.

Read Full Guide