JWT Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, and signature.

0 characters

What is a JWT Decoder?

A JWT (JSON Web Token) decoder is a tool that decodes and displays the contents of JWT tokens. JWTs are commonly used for authentication and information exchange in web applications. This tool helps you inspect JWT contents without verifying the signature.

Essential Uses of JWT Decoding

  • Debugging Authentication Issues: When authentication fails or behaves unexpectedly, decode the JWT to see what claims it contains. Check if user ID (sub) is correct, if roles/permissions are present, if expiration (exp) has passed, or if custom claims match expectations. For example, if a user reports "access denied," decode their JWT to verify their roles claim contains the required permission. This instantly reveals whether the issue is token generation (missing claims) or authorization logic (incorrect permission checks).
  • API Development and Testing: When building or testing APIs that use JWT authentication, decode tokens to verify the API is generating correct JWTs. Check that claims are formatted properly, expiration times are reasonable, and custom claims (user metadata, permissions) are included. Tools like Postman and Insomnia show JWTs in requests. Decoding them helps you understand what the API is actually sending and receiving.
  • seo.jwt_decoder.use_security seo.jwt_decoder.use_security_desc
  • Token Expiration Checking: JWTs contain an exp (expiration) claim as a Unix timestamp. Decode a token to check when it expires. Convert the timestamp to human-readable date/time to see if the token is still valid or has expired. This is crucial when debugging "token expired" errors. Decode the token, check the exp claim, compare to current time. Many authentication issues are simply expired tokens.
seo.jwt_decoder.heading_how

seo.jwt_decoder.how_desc

  • seo.jwt_decoder.how_step1
  • seo.jwt_decoder.how_step2
  • seo.jwt_decoder.how_step3
  • seo.jwt_decoder.how_step4

seo.jwt_decoder.how_example

JWT: The Modern Authentication Standard

JWT was standardized as RFC 7519 in 2015, but the concept emerged earlier from OAuth 2.0 and OpenID Connect specifications. JWTs solved a critical problem: how to authenticate users in stateless APIs without server-side sessions. Traditional session authentication requires storing session data on the server and looking it up on every request. JWTs flip this model: all authentication information is in the token itself (self-contained), allowing servers to verify authenticity without database lookups. This makes JWTs perfect for microservices, serverless architectures, and distributed systems. Today, JWTs are used by virtually every modern authentication system: Auth0, Firebase, AWS Cognito, Keycloak, and countless custom implementations.

Critical JWT Security Warnings

Decoding a JWT shows its contents but does not verify its authenticity. Always verify JWT signatures on the server before trusting the payload data. Learn about encoding security

JWT Decoding in Programming Languages

Most programming languages have JWT libraries for decoding and verifying tokens. Here are examples (decode only, without verification):

// Using firebase/php-jwt (decode without verification)
use Firebase\JWT\JWT;
$parts = explode('.', $token);
$header = json_decode(JWT::urlsafeB64Decode($parts[0]));
$payload = json_decode(JWT::urlsafeB64Decode($parts[1]));

// With verification (recommended for production)
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
try {
    $decoded = JWT::decode($token, new Key($secret, 'HS256'));
    // Token is valid and verified
} catch (Exception $e) {
    // Token invalid or expired
}

// Browser or Node.js: Decode without verification
function decodeJWT(token) {
    const parts = token.split('.');
    const header = JSON.parse(atob(parts[0]));
    const payload = JSON.parse(atob(parts[1]));
    return { header, payload };
}

// Using jsonwebtoken library (Node.js)
const jwt = require('jsonwebtoken');
const decoded = jwt.decode(token); // No verification

// With verification (recommended)
try {
    const verified = jwt.verify(token, secret);
    // Token is valid
} catch (err) {
    // Token invalid or expired
}

import jwt
import json
import base64

# Decode without verification
def decode_jwt(token):
    parts = token.split('.')
    header = json.loads(base64.urlsafe_b64decode(parts[0] + '=='))
    payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
    return header, payload

# Using PyJWT (decode without verification)
decoded = jwt.decode(token, options={"verify_signature": False})

# With verification (recommended)
try:
    verified = jwt.decode(token, secret, algorithms=["HS256"])
    # Token is valid
except jwt.ExpiredSignatureError:
    # Token expired
except jwt.InvalidTokenError:
    # Token invalid

import (
    "encoding/base64"
    "encoding/json"
    "strings"
)

// Decode without verification
func decodeJWT(token string) (map[string]interface{}, error) {
    parts := strings.Split(token, ".")
    payload, _ := base64.RawURLEncoding.DecodeString(parts[1])
    var claims map[string]interface{}
    json.Unmarshal(payload, &claims)
    return claims, nil
}

// Using golang-jwt/jwt with verification
import "github.com/golang-jwt/jwt/v5"
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    return []byte(secret), nil
})
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
    // Token verified and valid
}

// Using java-jwt (Auth0)
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;

// Decode without verification
DecodedJWT jwt = JWT.decode(token);
String subject = jwt.getSubject();
Date expiresAt = jwt.getExpiresAt();

// With verification (recommended)
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.JWTVerifier;
try {
    Algorithm algorithm = Algorithm.HMAC256(secret);
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    // Token is valid
} catch (Exception e) {
    // Token invalid
}

require 'jwt'

# Decode without verification
decoded = JWT.decode(token, nil, false)
payload = decoded[0]
header = decoded[1]

# With verification (recommended)
begin
  decoded = JWT.decode(token, secret, true, { algorithm: 'HS256' })
  payload = decoded[0]
  # Token is valid
rescue JWT::ExpiredSignature
  # Token expired
rescue JWT::DecodeError
  # Token invalid
end

using System.IdentityModel.Tokens.Jwt;

// Decode without verification
var handler = new JwtSecurityTokenHandler();
var jwtToken = handler.ReadJwtToken(token);
var claims = jwtToken.Claims;
var expiration = jwtToken.ValidTo;

// With verification (recommended)
using Microsoft.IdentityModel.Tokens;
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(secret);
try {
    var principal = tokenHandler.ValidateToken(token,
        new TokenValidationParameters {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(key),
            ValidateIssuer = false,
            ValidateAudience = false
        }, out SecurityToken validatedToken);
    // Token is valid
} catch {
    // Token invalid
}

Related Tools

JWTs use Base64URL encoding. Use our Base64 Decoder to decode individual JWT parts if needed.

JWT payloads are JSON. After decoding, use our JSON Formatter to beautify the decoded JSON for easier reading.

Passing JWTs in URLs? Ensure they're URL-encoded with our URL Encoder to handle special characters safely.