How to Decode JWT Tokens Securely
Understand JWT structure, decode tokens safely, and inspect claims, expiry, and signatures. A complete guide with best practices and our free JWT Decoder tool.
🔐 Decode JWTs Safely: Inspect Without Trusting
JSON Web Tokens (JWTs) power authentication in APIs, SPAs, and mobile apps. Decoding lets you inspect header, payload, and claims—but decoding is not verification. This guide shows you how to decode JWTs securely, understand standard claims, avoid common mistakes, and use our JWT Decoder tool effectively.
Why Decode JWTs?
Decoding a JWT reveals its contents without verifying the signature. That might sound limited, but it's exactly what you need when:
🔍Debug Authentication
- •Check expiry (exp) and issued-at (iat) when tokens fail
- •See which claims your auth server is sending
- •Confirm audience (aud) and issuer (iss) for API debugging
🛠️Develop & Test
- •Inspect tokens from OAuth, Auth0, or custom backends
- •Edit payload and re-encode for testing different claims
- •Understand API docs that reference JWT structure
What is a JWT?
A JWT is a compact, URL-safe string with three Base64url-encoded parts separated by dots:
- Header — Algorithm (e.g.
HS256,RS256) and token type (JWT) - Payload — Claims: user id, roles, expiry, issuer, audience, and any custom data
- Signature — Cryptographic signature so the server can verify the token wasn't tampered with
Example (decoded header and payload; signature is binary):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE2MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoding only Base64-decodes and parses the JSON in the header and payload. It does not check the signature—that must be done on the server with the secret or public key.
Using the JWT Decoder Tool
Our JWT Decoder lets you paste a token and inspect it in seconds. Step by step:
1Paste Your Token
Paste the full JWT (header.payload.signature) into the input field. You can copy it from Authorization: Bearer <token> in a request, from browser storage, or from your auth provider's debug panel.
💡 Tip: The tool decodes as you paste. If you see "Invalid token", check for extra spaces, line breaks, or a truncated token.
2Inspect Header & Payload
View the decoded header (algorithm, type) and payload (claims) in a readable format:
- →Expiry: See if the token is expired and when it was issued
- →Claims: sub, iss, aud, custom claims—all in one place
- →Copy: Copy header or payload JSON for docs or debugging
3Edit & Re-encode (for testing)
Change claims in the payload and re-encode to test how your app behaves with different sub, exp, or custom fields. Remember: the new token's signature won't be valid unless you sign it with your server's secret—use edit mode for local/testing scenarios only.
Understanding JWT Claims
Standard (registered) claims you'll see in most JWTs:
| Claim | Meaning |
|---|---|
| iss | Issuer — who created the token |
| sub | Subject — user or entity ID |
| aud | Audience — intended recipient (e.g. your API) |
| exp | Expiration — Unix timestamp when the token expires |
| iat | Issued At — Unix timestamp when the token was created |
| nbf | Not Before — token valid only after this time |
Many tokens also include custom claims (e.g. role, email, permissions). Decode the payload to see exactly what your auth server sends.
Security Best Practices
Decoding is for inspection only. When building or integrating with JWTs:
🚫Never Trust Decoding Alone
Anyone can create a JWT with a fake payload. Always verify the signature on the server using the correct secret (HMAC) or public key (RSA/ECDSA). Decoding in the browser or in a tool only shows contents—it does not prove the token is valid.
📦Don't Put Secrets in the Payload
The payload is Base64-encoded, not encrypted. Anyone who has the token can decode it. Store only non-sensitive identifiers and claims (user id, roles, expiry). Never put passwords, API keys, or PII that must stay secret in the payload.
⏱️Short Expiry & HTTPS
Use short-lived access tokens (e.g. 15 min–1 hour). Refresh tokens can be longer-lived and stored securely.
Send JWTs only over HTTPS so they can't be intercepted on the wire.
✓Validate Claims on the Server
After verifying the signature, check exp, nbf, iss, and aud so expired or misused tokens are rejected.
Common Pitfalls & How to Avoid Them
Avoid these mistakes when working with JWTs:
❌Trusting Payload Without Verification
A client or attacker can send a JWT with any payload. If your server only decodes and uses the payload without verifying the signature, anyone can impersonate users or set admin: true. Always verify with the correct key.
⚠️Algorithm Confusion (alg: none)
Old or misconfigured libraries might accept alg: "none", which means no signature. Attackers can then forge tokens. Reject unsupported algorithms and never accept none.
🔤Storing JWTs Insecurely
Don't put JWTs in localStorage if you're a high-risk app (XSS can steal them). Prefer httpOnly cookies for web, or secure storage on mobile. Use the decoder to inspect tokens; don't log full tokens in production.
Pro Tips for Power Users
Get more from decoding and from our tool:
🕐Check Expiry Before Debugging
When an API returns 401, paste the token into the decoder and check exp and iat. Often the token is simply expired or the clock is off. Fix expiry or refresh the token before digging deeper.
✏️Edit Payload for Local Testing
Use the JWT Decoder's edit mode to change sub, add a custom claim, or extend exp for local tests. The re-encoded token won't have a valid signature for your real server—use it only in mocks or when your test environment skips verification.
🔗Combine With Other Tools
JWT payloads are JSON. Decode the token, copy the payload, and paste it into the JSON Formatter for pretty-printing or sharing. Use the Base64 tool to decode a single segment if you only have one part.
✅ Decode JWTs Securely With Our Free Tool
Use our JWT Decoder tool to decode and inspect tokens in the browser. View header and payload, check expiry, edit claims for testing, and copy results—all client-side with no sign-up. Perfect for debugging auth, understanding API tokens, and learning JWT structure.
Related Articles
Magic Box: Intelligent Content Detection That Learns Your Workflow
Discover how Magic Box instantly detects JSON, HTML, curl, JWT, CSV, regex, and 20+ formats. Learn how it adapts to your patterns and suggests workflows to accelerate your development.
UUID Generator: Complete Guide to Generating and Using UUIDs
Learn what UUIDs are, when to use v4, v1, v7, or nil, and how to generate, validate, and export UUIDs with our free UUID Generator tool. Best practices and common pitfalls.
SQL & GraphQL Editor: Query Database and APIs
Write and test SQL queries and GraphQL operations with syntax highlighting. Perfect for database management, API testing, and data analysis.