Understanding JWT Decoding
JSON Web Tokens (JWT) are compact, URL-safe tokens commonly used for authentication, authorization, and secure data exchange between applications. A JWT consists of three parts separated by dots:
Header.Payload.Signature
- Header – contains token type and signing algorithm
- Payload – includes claims such as user ID, issuer, audience, and expiration time
- Signature – verifies that the token was not modified
Decoding a JWT helps developers inspect these values and confirm whether a token is valid, expired, or incorrectly issued.
Example JWT Token
Below is a simple example of a JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjAwMDAwMDAwLCJleHAiOjE5MDAwMDAwMDB9
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded Header
{
"alg": "HS256",
"typ": "JWT"
}
This shows the token uses the HS256 signing algorithm and is a standard JWT.
Decoded Payload
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1600000000,
"exp": 1900000000
}
Key fields explained:<
- sub – subject or user identifier
- name – display name of the user
- iat – time when the token was issued
- exp – expiration timestamp after which the token becomes invalid
Signature Verification
The final part of the JWT is the signature, which ensures:
- the token content was not tampered with
- the token was issued by a trusted source
Verification is performed using:
- a shared secret for HS256 tokens
- a public key from a JWKS endpoint for RS256 tokens
If verification fails, the token should not be trusted.
When to Use a JWT Decoder
Developers typically decode JWTs to:
- debug login or authentication issues
- confirm token expiration and renewal timing
- inspect claims returned by identity providers
- validate signatures during API integration
This tool allows fast, secure inspection without storing your tokens, making it suitable for development, testing, and troubleshooting workflows.
Frequently Asked Questions (FAQ)
A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit information between systems. It is commonly used for authentication, authorization, and API security.
A JWT Decoder converts the encoded token into readable JSON so you can inspect the header, payload claims, expiration time, and signature details. This helps developers debug authentication and verify token validity.
No. Decoding only reveals the token contents.
Verification checks the cryptographic signature using a secret key or public key (JWKS) to confirm the token is genuine and untampered.
Yes. The decoder processes tokens securely and does not store them. However, you should avoid sharing sensitive production tokens in public or shared environments.
Look at the exp (expiration) claim in the payload.
If the current time is later than this timestamp, the token is no longer valid and should be refreshed.
JWKS (JSON Web Key Set) is a public endpoint that provides cryptographic keys used to verify tokens signed with RSA algorithms like RS256. Applications fetch these keys to confirm token authenticity.
Common reasons include:
- Wrong secret or public key
- Token modified after issuance
- Using the wrong signing algorithm
- Token already expired