How to Decode JWT Online in 3 Steps

JSON Web Tokens (JWTs) are everywhere in modern web apps — used for authentication, session management, and API authorization. But reading a raw JWT is impossible without decoding it first. This guide shows you how to decode any JWT online in under 60 seconds.

What is a JWT?

A JWT is a compact, URL-safe token consisting of three Base64-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBbGljZSIsImlhdCI6MTcwOTk5MjAwMCwiZXhwIjoxNzA5OTk1NjAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
↑ Header              ↑ Payload                                                                         ↑ Signature

• Header — Algorithm and token type (e.g., {"alg":"HS256","typ":"JWT"})
• Payload — Claims: user ID, roles, expiry time, issued-at, etc.
• Signature — HMAC/RSA signature for verifying the token wasn't tampered with

Step-by-Step: How to Decode a JWT Online

1. Open the tool — Visit the JWT Decoder. Completely free, no account needed.
2. Paste your JWT — Copy the token from your Authorization: Bearer <token> header, cookie, or localStorage and paste it in.
3. Read the decoded output — See the Header (signing algorithm), Payload (all claims in readable JSON), and Signature status instantly.

Real-World Use Cases

1. Debugging Authentication Issues

When a user gets an "unauthorized" error, decode their JWT to check if it has expired:

# Decoded payload showing expiry
{
  "sub": "user_123",
  "name": "Alice",
  "iat": 1709992000,   <-- issued at (Unix timestamp)
  "exp": 1709995600    <-- expires at (1 hour later)
}

Convert exp to a readable date: new Date(1709995600 * 1000). If it's in the past, the token is expired.

2. Verifying User Roles and Permissions

Many APIs embed user roles directly in the JWT payload. Decode it to confirm the correct roles are present:

{
  "sub": "user_456",
  "email": "[email protected]",
  "roles": ["viewer"],         <-- not "admin" — explains the 403!
  "org_id": "org_789"
}

3. Understanding Third-Party Auth Tokens

OAuth tokens from Google, GitHub, or Auth0 can be decoded to see what information is embedded — useful when integrating SSO into your application.

# Google OAuth ID Token payload example
{
  "iss": "https://accounts.google.com",
  "sub": "110169484474386276334",
  "email": "[email protected]",
  "email_verified": true,
  "name": "Alice Smith",
  "picture": "https://..."
}

Common Mistakes to Avoid

• Thinking decoding = verification — Decoding reads the payload but does NOT verify the signature. Anyone can decode a JWT. Signature verification requires the secret key and must happen server-side.
• Storing JWTs in localStorage for sensitive apps — localStorage is accessible via XSS. Use HttpOnly cookies for high-security applications.
• Not checking the exp claim — Always validate token expiry on the server. A client-decoded token can be manipulated.
• Using alg: none — Some older libraries accept unsigned tokens. Always specify and validate the expected algorithm server-side.

Related Tools

• Base64 Encoder/Decoder — JWTs are Base64url-encoded; decode each part manually
• JSON Formatter — Format the decoded JWT payload for easier reading
• Hash Generator — Learn about HMAC-SHA256, the algorithm behind most JWTs