JWT Decoder: Understand & Validate JSON Web Tokens

Our jwt decoder tool provides a seamless experience for jwt decoder tasks. You receive an API response with a token. It looks like gibberish. But that token controls who has access to what. Decoding it correctly could save you hours of debugging—or prevent a security breach.

JSON Web Tokens (JWT) power modern API authentication. Whether you're building APIs, integrating third-party services, or fixing authentication bugs, understanding JWT structure is essential.

Decode Your JWT Now

Advanced jwt decoder with jwt decoder online capabilities

Launch JWT Decoder

What Is a JWT? The Three-Part Structure - Jwt Decoder Online

A JWT token looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

That's three sections separated by dots (.). Let's break it down:

1. Header (Before First Dot)

Base64-encoded JSON describing the token type and signing algorithm:

{ "alg": "HS256", "typ": "JWT" }

alg: Algorithm used to sign (HS256, RS256, etc.)
typ: Always "JWT"
kid: Optional. Key ID for multi-key rotation

2. Payload (Between Dots)

Base64-encoded JSON with user information and claims:

{ 
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

sub: Subject (usually user ID)
name: User name or email
iat: "Issued at" timestamp
exp: Expiration timestamp
aud: Audience (allowed recipients)
iss: Issuer (who created this token)

3. Signature (After Last Dot)

Proof that the token wasn't modified. Created by: HMACSHA256(Base64Url(header) + "." + Base64Url(payload), secret)

How JWT Validation Works - Free Jwt Decoder

When you receive a token, verification happens in stages:

Structure check: Does it have exactly 3 parts?
Format validation: Are all parts valid Base64?
Signature verification: Does the signature match?
Claims validation: Has it expired? Is issuer trusted?
Payload inspection: Extract user data safely

Common JWT Claims Explained - Jwt Decoder Tool

Standard JWT Claims (RFC 7519)

iss (Issuer): Who created the token
sub (Subject): Who the token is about (usually user ID)
aud (Audience): Who can use this token
exp (Expiration): Unix timestamp when token expires
nbf (Not Before): Token invalid before this timestamp
iat (Issued At): When token was created
jti (JWT ID): Unique token identifier

JWT Algorithms & Security

Symmetric Algorithms (Same Secret)

HS256: HMAC + SHA-256 (simple, requires sharing secret)
HS384: HMAC + SHA-384
HS512: HMAC + SHA-512

Asymmetric Algorithms (Public/Private Key)

RS256: RSA + SHA-256 (safer, better for APIs, slowest)
RS384: RSA + SHA-384
RS512: RSA + SHA-512
ES256: ECDSA + SHA-256 (newer, faster)

Red Flags When Decoding JWTs

Expired token (current time > exp): Token is no longer valid
Invalid signature: Token was modified or wrong secret used
Missing exp: Token never expires (security risk)
Wrong issuer: Token from untrusted source
Algorithm is "none": CRITICAL SECURITY ISSUE—token not signed
Unexpected claims: Token has extra data you didn't expect

Debugging JWT Issues Step-by-Step

Problem: "Token Expired"

Decode the token
Find "exp" claim (Unix timestamp)
Convert to readable date: new Date(exp * 1000)
If today > exp date, request a new token
Use OAuth refresh_token if available

Problem: "Invalid Signature"

Verify you're using correct signing secret
Check algorithm matches (RS256 vs HS256)
Ensure you have the EXACT secret (trailing spaces matter!)
Verify token wasn't truncated in transfer
Check issuer's public key hasn't rotated

Problem: "Claims Don't Match Expected"

Expected: What your API requires
Received: What token actually contains
Compare claim-by-claim
Check if issuer changed token format
May require code update to handle new claims

Real-World JWT Use Cases

OAuth 2.0 & OpenID Connect: Login with Google, GitHub, etc.
API Authentication: Pass token via Authorization header
SSO (Single Sign-On): Share authentication across services
Service-to-service: Microservices authenticating each other
Session tokens: Stateless session management

How to Use Our JWT Decoder

Paste your token into the input field
Tool automatically separates header, payload, signature
Review all claims and their values
Check expiration and issuer
Inspect signature algorithm
Export decoded data if needed

Security Best Practices

Never log JWTs: They contain user data
Always verify signature: Don't trust token content blindly
Set short expiration: 15 min - 1 hour recommended
Use HTTPS only: Prevent token interception
Store securely: HttpOnly cookies better than localStorage
Verify algorithm: Reject unexpected algorithms
Validate claims: Check exp, iss, aud always

Related Developer Tools

Hash Generator - Generate HMAC signatures
Base64 Encoder - Encode/decode Base64
JSON Formatter - Validate & format JSON in payloads
Regex Tester - Test token patterns

JWT Decoder vs jwt.io

Our decoder matches jwt.io functionality but with:

✓ No network requests (local processing)
✓ Works offline
✓ Advanced signature verification
✓ Claim validation rules
✓ Export options

Conclusion

JWT tokens are everywhere in modern APIs. Understanding their structure prevents hours of debugging. With our JWT Decoder, you can inspect any token, verify claims, and spot security issues instantly.

Master JWT, master your API security.

Start Decoding Now

Inspect tokens, verify claims, debug authentication instantly

Open JWT Decoder