JWT Decoder

Decode and inspect JSON Web Tokens online. View header, payload, and expiration. Free JWT debugger.

JWT Token

Header

Payload

About JWT Decoder

Decode JSON Web Tokens to inspect the header and payload. JWTs are commonly used for authentication in APIs and web applications. This tool decodes the token locally — nothing is sent to any server.

Note: This tool only decodes JWTs — it does not verify signatures.

Tutorial

How to Decode JWT Online in 3 Steps

Decode and inspect JSON Web Tokens online in seconds. Learn what's inside a JWT — header, payload, and signature — with real examples.

Video Tutorial

2:55

Video coming soon — full transcript available below

Chapters

Full transcript searchable

0:00

What is a JWT and its three parts

Welcome to this tutorial on the JWT Decoder. A JSON Web Token is a compact, URL-safe token used for authentication and information exchange. Every JWT has exactly three parts separated by dots: the header, the payload, and the signature. The header contains the token type and signing algorithm. The payload contains claims — pieces of information like user ID, email, roles, and expiry time. The signature is used to verify the token hasn't been tampered with. The header and payload are Base64-encoded JSON, which means they can be decoded without any secret key.

0:40

Paste token and see header decoded

Open the JWT Decoder on ToolPilot.dev. Copy a JWT token from your application — you can find them in browser DevTools under Application > Cookies, or in the Network tab as Authorization: Bearer headers. Paste the full token into the input field. The tool immediately splits it into three sections and decodes the Base64. The header section shows the algorithm field — typically HS256 for HMAC-SHA256, or RS256 for RSA. This tells you how the token was signed.

1:15

Reading the payload and user claims

The payload section is where the interesting data lives. Standard claims include sub (subject — usually a user ID), iss (issuer — who created the token), aud (audience — who it's intended for), iat (issued at — Unix timestamp), and exp (expiry time). Custom claims added by your application might include roles, permissions, email, or any other user data. All of this is displayed in readable formatted JSON in the decoder output.

1:50

Checking token expiry (exp claim)

The exp claim is a Unix timestamp representing when the token expires. The JWT Decoder converts this to a human-readable date and time so you can see exactly when the token will stop working. It also shows whether the token is currently valid or expired. This is incredibly useful when debugging authentication errors — if a user reports being logged out unexpectedly, you can paste their token and immediately see if it expired.

2:20

Debugging authentication errors

Common authentication bugs you can debug with the JWT Decoder: tokens using the wrong algorithm, missing required claims, incorrect user IDs in the sub field, wrong audience in the aud field, and clock skew causing premature expiry. When an API returns a 401 Unauthorized response, decode the token being sent and compare it with what the server expects. This eliminates hours of guesswork in debugging auth flows.

2:45

Security note: decode only, not verify

An important security note: this tool decodes JWTs but does not verify them. Decoding only reads the Base64-encoded payload. Verification requires the secret key or public key and checks the signature mathematically. Never trust decoded JWT data in production without server-side signature verification. The decoder is a debugging tool, not a security tool. Also note: all decoding happens in your browser — your token is never sent to any server — making it safe to use with real tokens during development.

Transcript covers all 6 chapters (2:55 total).

Frequently Asked Questions

What is a JWT (JSON Web Token)?

A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting claims between parties. It consists of three Base64URL-encoded parts separated by dots: Header.Payload.Signature.

What are the three parts of a JWT?

1. Header: algorithm and token type (e.g., {'alg': 'HS256', 'typ': 'JWT'}). 2. Payload: claims like user ID, roles, expiration (exp), issued-at (iat). 3. Signature: HMAC or RSA signature to verify the token hasn't been tampered with.

Is it safe to paste a JWT into an online decoder?

The JWT Decoder on Toolpilot decodes entirely in your browser — no data is sent to any server. However, as a best practice, rotate JWT secrets after exposing tokens to any third-party service, especially production tokens.

Can I verify a JWT signature online?

The JWT Decoder shows the decoded header and payload. Full signature verification requires the secret key (HS256) or public key (RS256). To verify a JWT signature, use your server-side JWT library (jsonwebtoken for Node.js, PyJWT for Python).

What does the 'exp' claim in a JWT mean?

The 'exp' (expiration time) claim is a Unix timestamp indicating when the token expires. Convert it using the Unix Timestamp Converter at toolpilot.dev/tools/timestamp-converter/ to see the human-readable expiration date.

What does the 'iat' claim mean?

The 'iat' (issued at) claim is a Unix timestamp for when the JWT was created. Together with 'exp', it tells you the token's lifetime. Convert using the Timestamp Converter at toolpilot.dev/tools/timestamp-converter/.

What is the difference between HS256 and RS256 in JWTs?

HS256 uses a shared secret key (HMAC-SHA256) — both signer and verifier must know the same secret. RS256 uses an RSA key pair — the server signs with a private key and anyone can verify with the public key, making it better for distributed systems.

Can I create (sign) a JWT with this tool?

The JWT Decoder is a read-only inspector that decodes existing tokens. To create and sign JWTs, use your programming language's library: jsonwebtoken in Node.js, PyJWT in Python, or the jwt.io debugger.

Why does my JWT token look like three Base64 strings?

JWTs are three Base64URL-encoded JSON objects joined by dots. Each part can be decoded separately using the Base64 Decoder at toolpilot.dev/tools/base64-encoder/. The JWT Decoder does this automatically and presents the JSON in a readable format.

What is a JWT refresh token?

A refresh token is a long-lived token used to obtain a new access JWT without re-authenticating. Access JWTs are short-lived (minutes to hours); refresh tokens last days to months. Never store refresh tokens in localStorage — use HttpOnly cookies.

Code Examples

Ready-to-use implementations in popular programming languages. Copy, paste, and run.

Decode JWT in JavaScript

// Decode JWT payload (without verification)
function decodeJWT(token) {
  const parts = token.split('.');
  if (parts.length !== 3) throw new Error('Invalid JWT');

  const header = JSON.parse(atob(parts[0]));
  const payload = JSON.parse(atob(parts[1]));

  return { header, payload };
}

// Usage
const token = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc';
const { header, payload } = decodeJWT(token);
console.log(payload); // { sub: '1234567890' }

Decode JWT in Python

import json
import base64

def decode_jwt(token):
    """Decode JWT payload without verification."""
    parts = token.split('.')
    if len(parts) != 3:
        raise ValueError('Invalid JWT format')

    # Add padding and decode
    payload = parts[1] + '=' * (4 - len(parts[1]) % 4)
    decoded = base64.urlsafe_b64decode(payload)
    return json.loads(decoded)

# Usage
token = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc'
print(decode_jwt(token))  # {'sub': '1234567890'}

Decode JWT in Go

package main

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"strings"
)

func decodeJWT(token string) (map[string]interface{}, error) {
	parts := strings.Split(token, ".")
	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
	if err != nil {
		return nil, err
	}
	var result map[string]interface{}
	json.Unmarshal(payload, &result)
	return result, nil
}

func main() {
	claims, _ := decodeJWT("eyJhbGciOiJIUzI1NiJ9.
		eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc")
	fmt.Println(claims)
}

Decode JWT in Bash

# Decode JWT payload (second part)
TOKEN='eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc'
echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq .

# Decode JWT header (first part)
echo "$TOKEN" | cut -d. -f1 | base64 -d 2>/dev/null | jq .

Related Workflow Guides

🔓 Debug JWT Tokens in 30 Seconds → 🔐 API Auth Debugging: JWT → JSON → Hash → 🎫 Manage API Tokens: Decode JWT → Verify Hash → Encode Secrets → ⚙️ Automate JWT Token Validation in CI/CD Testing Pipelines →

Compare with alternatives

Toolpilot vs JWT.io Toolpilot vs Token.dev