Last updated
JWT Decoder
Decode JSON Web Tokens (JWT) to inspect their contents. JWT tokens are used for authentication and information exchange in web applications. Our decoder parses the token and displays the header, payload, and signature in a readable format.
JWT Token Structure
JWT tokens consist of three parts separated by dots (.):
1. Header: Contains the token type (JWT) and signing algorithm (e.g., HS256, RS256)
2. Payload: Contains claims (statements about the user and additional data)
3. Signature: Used to verify the token hasn't been tampered with
Common JWT Debugging Scenarios
- Checking if a token is expired when users report authentication failures
- Verifying that required claims (roles, permissions) are present in the token
- Confirming the correct issuer and audience for multi-tenant applications
- Inspecting tokens from third-party OAuth providers during integration
- Auditing token contents for security review
- Understanding token structure when implementing JWT authentication from scratch
All decoding happens entirely in your browser. JWT tokens often contain sensitive user data and should never be pasted into tools that transmit data to servers. TechConverter's client-side processing ensures your tokens remain completely private.
Common JWT Claims
- iss (issuer) - Who issued the token
- sub (subject) - User identifier
- aud (audience) - Intended recipient
- exp (expiration) - When the token expires
- iat (issued at) - When the token was created
- nbf (not before) - Token not valid before this time
How to Use
- Copy your JWT token from your application or API response
- Paste it into the decoder input field
- Click "Decode JWT" to view the contents
- Inspect the header, payload, and signature information
Security Best Practices
- Never share JWT tokens containing sensitive data
- Don't decode production tokens on public websites
- Always verify signatures on the server side
- Use HTTPS to transmit JWT tokens
- Set appropriate expiration times
- Store tokens securely (httpOnly cookies recommended)
Common Use Cases
- Debugging authentication issues
- Inspecting token claims and expiration
- Understanding JWT structure for development
- Testing JWT implementations
- Learning about JWT tokens
Examples
Example 1: Decoding a Standard Authentication Token
A developer is debugging a 401 Unauthorized error and wants to inspect the JWT being sent in the Authorization header.
Token (paste into the decoder):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBbGljZSBTbWl0aCIsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJ1c2VyIiwiZWRpdG9yIl0sImlhdCI6MTcxMDAwMDAwMCwiZXhwIjoxNzEwMDAzNjAwfQ.signatureDecoded Header:
{
"alg": "HS256",
"typ": "JWT"
}Decoded Payload:
{
"sub": "user_123",
"name": "Alice Smith",
"email": "alice@example.com",
"roles": ["user", "editor"],
"iat": 1710000000,
"exp": 1710003600
}The decoder immediately reveals the token was issued at Unix timestamp 1710000000 and expires at 1710003600 — exactly one hour later. If the current time is past the expiration, the decoder flags the token as expired, which explains the 401 error.
Example 2: Understanding Standard JWT Claims
JWT has a set of registered claim names with specific meanings. The decoder highlights and explains each one:
sub(Subject) — the user or entity the token represents, typically a user IDiss(Issuer) — the authentication server that issued the tokenaud(Audience) — the intended recipient of the token, often an API URLexp(Expiration Time) — Unix timestamp after which the token is invalidnbf(Not Before) — Unix timestamp before which the token is not validiat(Issued At) — Unix timestamp when the token was createdjti(JWT ID) — unique identifier for the token, used to prevent replay attacks
The decoder converts Unix timestamps to human-readable dates automatically, so you can see at a glance when a token was issued and when it expires.
Example 3: Decoding an OAuth 2.0 Access Token
A developer integrating with an OAuth 2.0 provider like Auth0 or Okta wants to understand the access token structure.
Decoded Payload from an Auth0 token:
{
"iss": "https://myapp.auth0.com/",
"sub": "auth0|64a1b2c3d4e5f6a7b8c9d0e1",
"aud": [
"https://api.myapp.com",
"https://myapp.auth0.com/userinfo"
],
"iat": 1710000000,
"exp": 1710003600,
"azp": "client_id_here",
"scope": "openid profile email read:orders write:orders",
"permissions": ["read:orders", "write:orders"]
}From this decoded token, the developer can see:
- The token was issued by Auth0 for their specific tenant
- The subject is an Auth0 user ID
- The token is valid for two audiences: the API and the userinfo endpoint
- The user has
read:ordersandwrite:orderspermissions - The token expires in one hour
Frequently Asked Questions
Paste your JWT token into the decoder input field. The tool automatically decodes the token and displays the header, payload, and signature. JWT tokens are base64url encoded and consist of three parts separated by dots: header.payload.signature.
Our JWT decoder processes everything in your browser using JavaScript. No data is sent to servers. However, never decode production JWT tokens containing sensitive data on any online tool. Use this for development and testing only.
JWT tokens contain three parts: Header (algorithm and token type), Payload (claims like user ID, expiration, issuer), and Signature (verification hash). The header and payload are base64url encoded JSON objects that can be decoded to view their contents.
This tool decodes and displays JWT contents but does not verify signatures. Signature verification requires the secret key or public key, which should never be entered into online tools for security reasons.