JWT Decoder — Inspect JWT Tokens Instantly (Free, Browser-Based)

If you've ever worked with authentication in a web application, you've almost certainly encountered a JWT. They're compact, they're everywhere, and they can be surprisingly hard to read at a glance. This guide explains exactly what JWTs are, how to decode and inspect them, and why using a client-side decoder matters for your security.

When you're ready to try it yourself, you can decode any JWT instantly at /tools/jwt-decoder/ — no sign-up, no server, nothing sent anywhere.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between two parties. Defined in RFC 7519, JWTs are most commonly used for:

• Authentication — confirming who a user is after they log in
• Authorization — confirming what a user is allowed to access
• Information exchange — passing verified claims between services

You'll find JWTs in virtually every modern authentication system: OAuth 2.0, OpenID Connect, Firebase Auth, Auth0, Supabase, AWS Cognito, and custom REST APIs alike.

What Does a JWT Look Like?

A JWT is a string of three Base64URL-encoded parts separated by dots:

xxxxx.yyyyy.zzzzz

Here's a real example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

At first glance it looks like gibberish — but it's actually structured data. Each section has a specific purpose.

The Three Parts of a JWT

1. Header

The header describes the token itself — specifically, the signing algorithm used.

Encoded:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Decoded:

{
  "alg": "HS256",
  "typ": "JWT"
}

Common values for alg include HS256, RS256, ES256, and none. The algorithm tells the receiving party how the token was signed and how to verify it.

2. Payload

The payload contains the claims — the actual data being transmitted. Claims can be about the user, the session, permissions, or anything else the issuer wants to include.

Encoded:

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ

Decoded:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Reserved Claims (Standard Fields)

Beyond these, you can include any custom claims — roles, permissions, user metadata, tenant IDs, and so on.

3. Signature

The signature is used to verify that the token hasn't been tampered with. It's computed like this:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Important: the signature verifies integrity, not confidentiality. The header and payload are only Base64URL-encoded — not encrypted. Anyone who has the token can read what's inside it.

This is exactly why you should never put sensitive information (passwords, credit card numbers, private keys) in a JWT payload.

How to Decode a JWT

Decoding a JWT means reading the header and payload by reversing the Base64URL encoding. This doesn't require the secret key — it's purely a formatting operation.

Using the Intoolhub JWT Decoder

The fastest way is to use the free JWT Decoder at /tools/jwt-decoder/:

1. Paste your JWT into the input field
2. The header, payload, and signature are displayed instantly
3. Timestamps like exp and iat are automatically converted to human-readable dates
4. Nothing leaves your browser — the entire operation runs in JavaScript on your device

Decoding Manually (for understanding)

If you want to understand what's happening under the hood, here's how to decode a JWT in a few lines of JavaScript:

function decodeJWT(token) {
  const [header, payload, signature] = token.split('.')

  const decode = (str) => {
    // Add padding if needed
    const padded = str + '=='.slice(((str.length + 2) % 4) % 3)
    return JSON.parse(atob(padded.replace(/-/g, '+').replace(/_/g, '/')))
  }

  return {
    header: decode(header),
    payload: decode(payload),
    signature: signature, // raw, cannot be decoded without the secret
  }
}

// Example usage
const token =
  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'

console.log(decodeJWT(token))
// Output:
// {
//   header:  { alg: 'HS256', typ: 'JWT' },
//   payload: { sub: '1234567890', name: 'John Doe', iat: 1516239022 },
//   signature: 'SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
// }

You can also do this in Python:

import base64
import json

def decode_jwt_part(part):
    # Fix Base64URL padding
    padding = 4 - len(part) % 4
    part += '=' * (padding % 4)
    decoded = base64.urlsafe_b64decode(part)
    return json.loads(decoded)

token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
header, payload, signature = token.split('.')

print(decode_jwt_part(header))
# {'alg': 'HS256', 'typ': 'JWT'}

print(decode_jwt_part(payload))
# {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022}

Decoding vs. Verifying — What's the Difference?

This is one of the most common points of confusion around JWTs.

Decoding is what you do when you want to inspect a token — during development, debugging, or troubleshooting auth issues.

Verifying is what your server does in production to confirm the token was issued by a trusted source and hasn't been modified.

Never skip verification in production just because you can read the token. A decoded token is not a trusted token.

Common Use Cases for a JWT Decoder

Debugging Authentication Issues

Is your frontend sending the right token? Is the exp already in the past? Is the aud claim set correctly for your API? Pasting the token into a decoder takes two seconds and answers all of these questions immediately.

Inspecting Tokens from Third-Party Providers

When using Auth0, Firebase, Cognito, or any OAuth provider, their tokens often contain custom claims, roles, and metadata. Decoding the token lets you see exactly what your backend is working with.

Learning and Education

JWTs are a foundational concept in modern web security. Decoding real tokens and seeing what's inside is one of the fastest ways to understand how authentication actually works in practice.

API Development and Testing

When building or testing APIs that consume JWTs, decoding tokens lets you confirm the payload structure matches what your backend expects — without writing a single line of code.

DevOps and Platform Engineering

Inspecting tokens in CI/CD pipelines, Kubernetes service account tokens, cloud provider tokens (AWS STS, GCP identity tokens), and service meshes is a regular part of platform work. A fast, browser-based decoder removes friction from that workflow.

Why You Should Use a Client-Side JWT Decoder

Not all JWT decoders are equal from a security standpoint.

Many popular online JWT tools process your token server-side — meaning your token travels over the network to someone else's infrastructure, potentially gets logged, and could be exposed if that service is compromised.

This is a real risk. Access tokens, ID tokens, and refresh tokens often carry session information, user identifiers, and permissions. Leaking one could mean leaking a user's session.

The Intoolhub JWT Decoder runs entirely in your browser. The JavaScript decodes the token locally using atob() and string operations. You can open your browser's DevTools, go to the Network tab, paste a token, and watch — zero outbound requests are made during decoding.

For security-conscious developers and teams, this isn't optional — it's the only acceptable approach.

JWT Security Best Practices

While you're here, a few important reminders:

• Always verify on the server — never trust a JWT just because it's well-formed
• Set short expiry times — use exp and implement refresh token rotation
• Use strong algorithms — prefer RS256 or ES256 over HS256 for multi-service architectures
• Never put secrets in the payload — the payload is encoded, not encrypted
• Validate the aud claim — ensures the token was meant for your service
• Use HTTPS everywhere — tokens intercepted in transit are tokens compromised
• Implement token revocation — JWTs are stateless by default; plan for logout and revocation

Frequently Asked Questions

Can I decode a JWT without the secret key? Yes. Decoding only requires Base64URL decoding — no secret needed. Verification requires the secret or public key.

Is it safe to paste my JWT into an online decoder? Only if the tool is 100% client-side. The Intoolhub JWT decoder never sends your token anywhere. Avoid tools that process tokens server-side.

Can I decode an encrypted JWT (JWE)? No. JWE (JSON Web Encryption) tokens are encrypted, not just encoded. You need the private key to decrypt them first. Standard JWTs (JWS) are signed but not encrypted, and can be decoded freely.

What does exp mean in a JWT? exp is the expiry timestamp — a Unix epoch value representing when the token stops being valid. A good decoder will convert this to a human-readable date automatically.

What's the difference between JWT and OAuth? OAuth is an authorization framework. JWT is a token format. OAuth systems commonly use JWTs as the format for access tokens, but OAuth itself doesn't require JWT.

My JWT has three parts but the third one looks different — is it broken? No. The third part is the signature, which is a cryptographic hash — not JSON. It will always look like random characters and cannot be decoded without the signing key.

Decode Your JWT Now

Stop squinting at Base64 strings. Paste your token into the Intoolhub JWT Decoder and see your header, payload, and expiry details laid out clearly — instantly, privately, and for free.

No account. No server. No risk.

→ Open JWT Decoder