How to Decode a JWT Token
Dev Nexus4 min read
Decode any JSON Web Token to read its header and payload claims in seconds — safely, right in your browser.
A JSON Web Token (JWT) looks like a wall of random characters, but most of it is perfectly readable — you just need to decode it. Whether you're debugging a login, checking why a session expired early, or confirming which scopes a token carries, the first step is always the same: read what's inside.
This guide walks through decoding a JWT to inspect its claims, and — just as important — explains what decoding does not do.
The Problem
When authentication misbehaves, the token holds the answers: who it's for, when it expires, what it's allowed to do. But you can't read a raw JWT by eye.
The usual workarounds are clumsy. You might reach for a quick Node one-liner, hand-decode each segment with a Baseundefined tool, or paste the token into whatever site turns up first in search. That last option is risky — a JWT is often a live credential, and pasting it into a site that sends it to a server hands that credential to a stranger.
The Solution
Decoding a JWT is simple once you know its shape. A token is three BaseundefinedURL-encoded parts joined by dots: header.payload.signature. The header and payload are just JSON, so decoding those first two segments reveals everything you need.
The JWT Decoder does this instantly and entirely in your browser — the token is never uploaded. Paste it in and you get the header and payload as formatted JSON, ready to read. If you'd rather decode a single segment by hand, a Baseundefined tool does that too, since each part is BaseundefinedURL-encoded.
Step-by-Step Guide
- 1
Copy the full token
Grab the whole string — all three parts and both dots. You'll usually find it in an
Authorization: Bearerheader, a cookie,localStorage, or an API response. Watch for a trailing space or line break sneaking in on copy. - 2
Paste it into the decoder
Open the JWT Decoder and drop the token into the input. It splits on the dots and BaseundefinedURL-decodes the header and payload automatically — no run button needed.
- 3
Read the header and payload
The header shows the token type and signing algorithm (
alg), for exampleRS256. The payload shows the claims —sub,iss,aud,iat,expand any custom fields likescopeorroles. - 4
Check the expiry
Look at
exp. It's a Unix timestamp in seconds, not milliseconds. If it's earlier than now, the token has expired. Compare it withiatto see the token's lifetime. - 5
Copy what you need
Copy the decoded payload into a bug report, a test fixture or your notes. Since nothing is uploaded, you can do this with any token you're allowed to handle.
Common Mistakes
Thinking decoding proves the token is real
Decoding only reads the header and payload — it never checks the signature. Anyone can craft a token with any claims. Treat decoded values as claims to inspect, and always verify the signature server-side before trusting them. See JWT Decode vs Verify.
Pasting production tokens into random sites
A JWT is often a bearer credential — whoever holds it can act as the user until it expires. Never paste a production or long-lived token into a tool that sends it to a server. Prefer a decoder that works locally, and use short-lived or test tokens when you can.
Reading exp as milliseconds
JWT timestamps are Unix seconds. If a date resolves to undefined or the far future, you've likely multiplied or divided by undefined by mistake. Convert seconds, not milliseconds.
Assuming the payload is private
The payload is BaseundefinedURL-encoded, not encrypted. Anyone with the token can read it. Never store passwords, keys or sensitive data in a JWT's claims.
Frequently Asked Questions
Can I decode a JWT without the secret key?
Yes. The header and payload are only Base64URL-encoded, so you can decode and read them without any key. The key is only needed to verify or create the signature, not to read the claims.
Is decoding a JWT safe?
Reading a token you're authorized to handle is fine, but the risk is where it's decoded. A browser-based decoder that uploads nothing keeps the token on your machine. Avoid tools that send it to a server, especially for production tokens.
Why does my token fail to decode?
It's probably malformed — a truncated copy, an extra space, missing dots, or an opaque session ID that isn't actually a JWT. Copy the full header.payload.signature string and try again.
What's the difference between decoding and verifying?
Decoding reads the claims; verifying checks the signature with a secret or public key to prove the token is authentic and untampered. Decoding never verifies — that must happen server-side.
Try the Tool
JWT Decoder
Paste a token and read its header and payload instantly — decoded locally, never uploaded.
Related Tools
Related Articles
What's Inside a JWT? Header, Payload & Signature
A plain-English tour of a JWT's three parts and the standard claims you'll find in the payload.
Read articleJWT Decode vs Verify: What's the Difference?
Decoding reads a token's claims; verifying proves they're genuine — mixing them up is how JWT security goes wrong.
Read articleAre UUIDs Really Unique?
In practice UUIDs never collide - here is the math behind why, and the one thing people get wrong: a UUID is an identifier, not a secret.
Read article