Privacy-First Browser Tools

Unified Tools Platform

Guide

How to Decode JWT Tokens

JWTs (JSON Web Tokens) are everywhere in modern authentication — APIs, single sign-on, mobile apps. This guide explains their structure, what each part contains, common security mistakes to avoid, and how to decode them safely.

Last updated: April 10, 2026

Share:

What Is a JWT?

A JWT is a compact, URL-safe token format for transmitting claims between two parties. It's commonly used for authentication: after you log in, the server creates a signed token containing your identity and permissions, and you include it in subsequent requests.

A JWT looks like this: xxxxx.yyyyy.zzzzz — three Base64URL-encoded parts separated by dots. Despite looking encrypted, JWTs are only encoded — anyone can read the contents. The signature ensures the contents haven't been tampered with, but doesn't hide them.

The Three Parts of a JWT

  • Header — Contains the token type ("JWT") and the signing algorithm (e.g., HS256, RS256). Example: {"alg": "RS256", "typ": "JWT"}
  • Payload — Contains the claims: user data, permissions, expiration time, etc. Standard claims include "sub" (subject/user ID), "exp" (expiration), "iat" (issued at), "iss" (issuer).
  • Signature — Created by signing header + payload with a secret key (HMAC) or private key (RSA/ECDSA). This prevents tampering — changing any byte in the header or payload invalidates the signature.

Common JWT Claims Explained

  • "sub" (Subject): Identifies the user — typically a user ID or email.
  • "exp" (Expiration): Unix timestamp after which the token is invalid. Always set this.
  • "iat" (Issued At): When the token was created.
  • "iss" (Issuer): Who created the token (e.g., your auth server's domain).
  • "aud" (Audience): Who the token is intended for (e.g., your API's identifier).
  • "nbf" (Not Before): Token is not valid before this time.
  • Custom claims: You can add any data — roles, permissions, tenant ID, etc. Keep tokens small though.

Signing Algorithms: HS256 vs RS256

HS256 (HMAC-SHA256): Uses a single shared secret to both sign and verify. Simpler, but the secret must be kept on every server that verifies tokens. Best for simple setups where the same server issues and verifies tokens.

RS256 (RSA-SHA256): Uses a private key to sign and a public key to verify. The public key can be shared freely, so any service can verify tokens without having the signing secret. Best for microservices and third-party integrations. Most production systems use RS256 or ES256.

Security Best Practices

  • Never store sensitive data in the payload. JWTs are encoded, not encrypted — anyone can decode them.
  • Always validate the signature server-side. Never trust a JWT just because it's present.
  • Set short expiration times (15-60 minutes for access tokens). Use refresh tokens for longer sessions.
  • Always check the "alg" header server-side. The "none" algorithm attack is a classic exploit where attackers remove the signature entirely.
  • Validate the "iss" and "aud" claims to prevent token confusion attacks across services.
  • Store tokens securely in the browser — HttpOnly cookies are safer than localStorage for web apps.
  • Use a token revocation strategy (blocklist or short expiry + refresh) since JWTs can't be invalidated once issued.

When to Use (and Not Use) JWTs

  • Good for: Stateless API authentication, single sign-on (SSO), passing claims between microservices, short-lived authorization tokens.
  • Not ideal for: Session management (session cookies are simpler and revocable), storing large amounts of data (tokens get big and slow), anything requiring instant revocation.
  • If you need to revoke tokens instantly (e.g., user logs out), you need a server-side blocklist, which partially negates the stateless benefit of JWTs.

Using Our JWT Decoder Tool

Paste any JWT into our decoder and instantly see the decoded header, payload, and signature status. The tool runs entirely in your browser — your tokens are never sent to any server.

Use it for debugging authentication issues, inspecting token contents during development, verifying expiration times, or understanding third-party tokens you receive.

Keep Reading

More developer tools guides and comparisons

How to Format JSON Safely Online

Best practices for formatting, validating, and cleaning up JSON data without exposing sensitive information.

Regex Basics for Beginners

Learn regular expressions from scratch — syntax, quantifiers, groups, 10 practical patterns, and common mistakes to avoid.

Understanding Hash Functions

MD5, SHA-1, SHA-256 compared — when to use each, common use cases, and misconceptions about hashing vs encryption.

Browse Developer Tools guidesExplore comparisons

Follow Updates

Get new tools and guides as they ship

Follow our updates page for new launches, privacy-first workflows, and editorial guides. RSS is live now, and email digests appear when a deployment has a configured provider.

Follow updatesRSS feed