Developer

How to Decode a JWT Token

Dev Nexus4 min read

Decode any JSON Web Token to read its header and payload claims in seconds — safely, right in your browser.

A JSON Web Token (JWT) looks like a wall of random characters, but most of it is perfectly readable — you just need to decode it. Whether you're debugging a login, checking why a session expired early, or confirming which scopes a token carries, the first step is always the same: read what's inside.

This guide walks through decoding a JWT to inspect its claims, and — just as important — explains what decoding does not do.

The Problem

When authentication misbehaves, the token holds the answers: who it's for, when it expires, what it's allowed to do. But you can't read a raw JWT by eye.

The usual workarounds are clumsy. You might reach for a quick Node one-liner, hand-decode each segment with a Baseundefined tool, or paste the token into whatever site turns up first in search. That last option is risky — a JWT is often a live credential, and pasting it into a site that sends it to a server hands that credential to a stranger.

The Solution

Decoding a JWT is simple once you know its shape. A token is three BaseundefinedURL-encoded parts joined by dots: header.payload.signature. The header and payload are just JSON, so decoding those first two segments reveals everything you need.

The JWT Decoder does this instantly and entirely in your browser — the token is never uploaded. Paste it in and you get the header and payload as formatted JSON, ready to read. If you'd rather decode a single segment by hand, a Baseundefined tool does that too, since each part is BaseundefinedURL-encoded.

Step-by-Step Guide

  1. 1

    Copy the full token

    Grab the whole string — all three parts and both dots. You'll usually find it in an Authorization: Bearer header, a cookie, localStorage, or an API response. Watch for a trailing space or line break sneaking in on copy.

  2. 2

    Paste it into the decoder

    Open the JWT Decoder and drop the token into the input. It splits on the dots and BaseundefinedURL-decodes the header and payload automatically — no run button needed.

  3. 3

    Read the header and payload

    The header shows the token type and signing algorithm (alg), for example RS256. The payload shows the claims — sub, iss, aud, iat, exp and any custom fields like scope or roles.

  4. 4

    Check the expiry

    Look at exp. It's a Unix timestamp in seconds, not milliseconds. If it's earlier than now, the token has expired. Compare it with iat to see the token's lifetime.

  5. 5

    Copy what you need

    Copy the decoded payload into a bug report, a test fixture or your notes. Since nothing is uploaded, you can do this with any token you're allowed to handle.

Common Mistakes

  • Thinking decoding proves the token is real

    Decoding only reads the header and payload — it never checks the signature. Anyone can craft a token with any claims. Treat decoded values as claims to inspect, and always verify the signature server-side before trusting them. See JWT Decode vs Verify.

  • Pasting production tokens into random sites

    A JWT is often a bearer credential — whoever holds it can act as the user until it expires. Never paste a production or long-lived token into a tool that sends it to a server. Prefer a decoder that works locally, and use short-lived or test tokens when you can.

  • Reading exp as milliseconds

    JWT timestamps are Unix seconds. If a date resolves to undefined or the far future, you've likely multiplied or divided by undefined by mistake. Convert seconds, not milliseconds.

  • Assuming the payload is private

    The payload is BaseundefinedURL-encoded, not encrypted. Anyone with the token can read it. Never store passwords, keys or sensitive data in a JWT's claims.

Frequently Asked Questions

Can I decode a JWT without the secret key?

Yes. The header and payload are only Base64URL-encoded, so you can decode and read them without any key. The key is only needed to verify or create the signature, not to read the claims.

Is decoding a JWT safe?

Reading a token you're authorized to handle is fine, but the risk is where it's decoded. A browser-based decoder that uploads nothing keeps the token on your machine. Avoid tools that send it to a server, especially for production tokens.

Why does my token fail to decode?

It's probably malformed — a truncated copy, an extra space, missing dots, or an opaque session ID that isn't actually a JWT. Copy the full header.payload.signature string and try again.

What's the difference between decoding and verifying?

Decoding reads the claims; verifying checks the signature with a secret or public key to prove the token is authentic and untampered. Decoding never verifies — that must happen server-side.

Try the Tool

JWT Decoder

Paste a token and read its header and payload instantly — decoded locally, never uploaded.

Open JWT Decoder

Related Tools

Related Articles