If you've ever stared at a string of random-looking characters in an Authorization header and wondered what's inside, you need a free JWT decoder online. JSON Web Tokens (JWTs) are base64url-encoded, not encrypted — which means you can read the contents instantly without a key. This guide covers JWT structure, the claims you'll find inside, how to debug authentication issues, and when it's safe (or not safe) to paste a token into a decoder.
Want to decode a token right now? Paste it into our JWT Decoder and see the header, payload, and expiry time in one click — no sign-up required.
What Is a JWT?
A JSON Web Token is a compact, URL-safe string that represents a set of claims — statements about a user or session. JWTs are defined in RFC 7519 and are the most common format for stateless authentication in REST APIs, OAuth 2.0 flows, and single-sign-on systems.
A raw JWT looks like this:
{codeJwtStructure}
Three Base64URL-encoded segments separated by dots. The first is the header, the second is the payload, and the third is the signature. Decoding is simply reversing the base64url encoding on the first two parts.
JWT Structure: Header, Payload, Signature
Header
The header describes the token type and the signing algorithm used:
{codeHeader}
Common algorithm values: HS256 (HMAC-SHA256, symmetric key), RS256 (RSA-SHA256, asymmetric), ES256 (ECDSA). The algorithm matters because it tells the verifier what key material to use.
Payload (Claims)
The payload is where the actual data lives. A typical payload looks like:
{codePayload}
These are the registered claim names you'll encounter most often:
-
sub— Subject. The principal the token is about (usually a user ID). -
iss— Issuer. The server that created the token. -
aud— Audience. The intended recipient(s) of the token. -
exp— Expiration time. Unix timestamp after which the token is invalid. -
iat— Issued at. Unix timestamp when the token was created. -
nbf— Not before. Token is invalid before this timestamp. -
jti— JWT ID. Unique identifier, used to prevent replay attacks.
Signature
The signature is computed by the server using the algorithm specified in the header and a secret key. It covers both the header and the payload, so any modification to either part invalidates the signature. Crucially, decoding a JWT does not verify the signature — that requires the server's secret or public key.
How to Decode a JWT in JavaScript
Since the payload is just base64url-encoded JSON, you can decode it client-side without any library. This is useful for reading claims like exp to check if a token has expired before making an API call:
{codeBase64Decode}
Note the replace(/-/g, '+').replace(/_/g, '/') step — base64url uses - and _ instead of + and /, so you must convert before calling atob().
Verifying a JWT (Server-Side)
Decoding is not verification. To properly authenticate a request, always verify the signature server-side with a trusted library:
{codeVerify}
Never trust a decoded payload without signature verification on the server. A JWT decoder online is for debugging and inspection, not for granting access.
Debugging Common JWT Auth Issues
Token Expired (401 Unauthorized)
Paste the token into the JWT Decoder and check the exp claim. Compare it to the current Unix timestamp (use our Timestamp Converter). If exp is in the past, the token is expired and your application needs to refresh it.
{codeExpCheck}
Wrong Audience or Issuer (403 Forbidden)
Many auth libraries validate iss and aud claims. Decode the token and confirm these match what your server expects. A common mistake when moving between environments (dev/staging/prod) is generating tokens with the wrong aud.
Algorithm Mismatch
Inspect the alg field in the header. If your server expects RS256 but the token was signed with HS256 (or vice versa), verification will fail. This is also an attack vector — the "alg: none" attack — which is why libraries refuse tokens where alg is none.
Clock Skew
If tokens expire immediately after issuance, check server clock synchronization. Many libraries allow a small clockTolerance (e.g., 60 seconds) to account for minor drift between servers.
Security Warnings: When NOT to Paste a Token
A JWT payload is not encrypted — it's only encoded. Anyone who can read the token can read the claims. Before pasting a JWT into any online decoder:
- Never paste production tokens containing real user data (PII) into third-party sites.
- Never paste tokens from live systems that haven't expired yet — they can be reused.
- For debugging production issues, redact or expire the token first, or use a local decoder.
- Our JWT Decoder runs entirely in your browser — the token is never sent to any server.
For learning and development with test tokens, online decoders are perfectly safe and far more convenient than writing a script. For production tokens, prefer browser-side decoding or a local tool.
Related Reading
If you want to go deeper, read our guide on JWT Tokens Explained — it covers token lifecycle, refresh token patterns, and how to store JWTs securely in browser applications.
Want these tools available offline? The DevToolkit Bundle ($9 on Gumroad) packages 40+ developer tools into a single downloadable kit — no internet required.
Summary
- A JWT is three base64url-encoded parts: header, payload, signature.
- Common claims:
sub,iss,aud,exp,iat. - Decoding is not verification — always verify signatures server-side.
- Use an online decoder for debugging test tokens; avoid pasting live production tokens.
- Check exp, aud, iss, and alg when troubleshooting 401/403 errors.
Free Developer Tools
If you found this article helpful, check out DevToolkit — 40+ free browser-based developer tools with no signup required.
Popular tools: JSON Formatter · Regex Tester · JWT Decoder · Base64 Encoder
🛒 Get the DevToolkit Starter Kit on Gumroad — source code, deployment guide, and customization templates.
Top comments (0)