Your files are processed locally in your browser — never uploaded to any server.
    Productivities.net
    Developer Tools

    How to Decode and Inspect JWT Tokens Safely

    Jan 1, 20254 min read
    Ad

    JSON Web Tokens (JWTs) are used everywhere for authentication and authorization. When debugging login issues, API access, or session management, you need to decode and inspect tokens — but doing it safely is critical.

    What Is a JWT?

    A JWT is a compact, URL-safe token made up of three parts separated by dots:

    header.payload.signature

    • Header — Contains the token type and signing algorithm (e.g., HS256, RS256).
    • Payload — Contains the claims — user data, permissions, expiration time, and other metadata.
    • Signature — A cryptographic hash that verifies the token hasn't been tampered with.

    The header and payload are Base64-encoded (not encrypted!), meaning anyone can read them. The signature is what provides security.

    Why You Should Never Decode JWTs on External Servers

    Many online JWT decoders send your token to their server for processing. This is a serious security risk because JWTs often contain:

    • User IDs and email addresses
    • Permission levels and roles
    • Session identifiers
    • API scopes and access levels

    Our JWT Decoder processes everything in your browser — your token never leaves your device.

    Step-by-Step: Decode a JWT

    1. Open the tool — Go to our JWT Decoder.
    2. Paste your token — Paste the complete JWT string.
    3. Inspect the header — Check the algorithm (alg) and token type (typ).
    4. Read the payload — View all claims including sub (subject), exp (expiration), iat (issued at), and any custom claims.
    5. Check expiration — The tool shows whether the token is still valid or has expired.

    Common JWT Claims Explained

    • sub — Subject: typically the user ID
    • exp — Expiration time (Unix timestamp)
    • iat — Issued at (when the token was created)
    • iss — Issuer (who created the token)
    • aud — Audience (who the token is intended for)
    • scope/permissions — What the token authorizes

    Debugging Tips

    • 401 Unauthorized — Check if the token has expired (exp claim).
    • 403 Forbidden — Check if the token has the required scopes or roles.
    • Token not accepted — Verify the issuer (iss) and audience (aud) match what the API expects.

    Decode your JWT securely with our JWT Decoder — everything stays in your browser.

    Ready to try it?

    Open JWT Decoder
    Ad

    Share this page

    Related Guides

    How to Format and Validate JSON Data Quickly

    3 min read

    How to Write and Test Regular Expressions Step by Step

    6 min read
    All Guides