JWT Decoder

Decode and inspect JWT tokens instantly. View header, payload, and signature. Check expiration, issuer, and claims. Free online JWT decoder — no data sent to any server.

Paste a JWT token and click Decode

What is a JWT (JSON Web Token)?

A JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are the backbone of modern authentication and authorization — when you log into a web application, receive an OAuth2 access token, or authenticate with an API, you're almost certainly using JWTs. They're used by every major identity provider including Auth0, AWS Cognito, Firebase Auth, Okta, and Azure AD.

What makes JWTs powerful is their self-contained nature: the token itself carries all the information needed to verify the user's identity and permissions. Unlike session-based authentication where the server must look up session data in a database on every request, a JWT can be verified using only the signing key. This stateless property makes JWTs ideal for microservices architectures, serverless functions, and distributed systems where sharing session state between services would be impractical.

This decoder parses JWT tokens entirely in your browser — no data is ever sent to a server. It splits the token into its three components (header, payload, signature), Base64URL-decodes each part, and displays the JSON contents with syntax highlighting. It also checks the exp claim against the current time to tell you whether the token is still valid. This is invaluable when debugging authentication issues, inspecting tokens from OAuth flows, or verifying that your token service is issuing correct claims.

JWTs work alongside many other developer tools. The exp, iat, and nbf claims are Unix timestamps — use our converter to check exact expiration times. The sub claim often contains a UUID identifying the user. JWT payloads are JSON objects that you can format with our JSON Formatter. And the token itself is Base64URL-encoded, which is a URL-safe variant of standard Base64.

JWT Structure

A JWT consists of three parts separated by dots (.):

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
|_________________________|.___________________________|.___________________________________|
         Header                      Payload                        Signature
  • Header: Contains metadata — the token type ("typ": "JWT") and the signing algorithm ("alg": "HS256", "RS256", etc.).
  • Payload: Contains the claims — statements about the user (like user ID, email, roles) and metadata (like expiration time). This is the main data carrier.
  • Signature: Created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA/ECDSA). Used to verify the token hasn't been tampered with.

Common JWT Claims

  • sub (Subject) — Identifies the principal (usually a user ID or UUID)
  • iat (Issued At) — Unix timestamp when the token was created
  • exp (Expiration) — Unix timestamp after which the token is invalid
  • nbf (Not Before) — Unix timestamp before which the token is not valid
  • iss (Issuer) — Who issued the token (e.g., your auth server's URL)
  • aud (Audience) — Who the token is intended for (e.g., your API's identifier)
  • jti (JWT ID) — Unique identifier for the token (for revocation tracking)
  • scope — OAuth2 scopes granted to the token
  • roles — Application-specific roles or permissions

Practical Examples

1. Decode a JWT in JavaScript (without a library):

function decodeJWT(token) {
  const [header, payload, signature] = token.split('.');
  return {
    header: JSON.parse(atob(header)),
    payload: JSON.parse(atob(payload)),
    signature: signature
  };
}

const decoded = decodeJWT(myToken);
console.log(decoded.payload.sub);  // User ID
console.log(decoded.payload.exp);  // Expiration timestamp

2. Check if a JWT is expired:

function isTokenExpired(token) {
  const payload = JSON.parse(atob(token.split('.')[1]));
  if (!payload.exp) return false; // No expiration set
  return payload.exp < Math.floor(Date.now() / 1000);
}

if (isTokenExpired(accessToken)) {
  // Refresh the token or redirect to login
}

3. Create a JWT in Node.js (using jsonwebtoken):

const jwt = require('jsonwebtoken');

const token = jwt.sign(
  { sub: 'user-123', role: 'admin' },
  process.env.JWT_SECRET,
  { expiresIn: '1h', issuer: 'my-app' }
);
// eyJhbGciOiJIUzI1NiIs...

4. Verify a JWT in Python:

import jwt

try:
    payload = jwt.decode(
        token,
        public_key,
        algorithms=['RS256'],
        audience='my-api'
    )
    user_id = payload['sub']
except jwt.ExpiredSignatureError:
    print("Token has expired")
except jwt.InvalidTokenError:
    print("Invalid token")

5. Extract JWT from an Authorization header:

// Express.js middleware
function extractToken(req, res, next) {
  const authHeader = req.headers.authorization;
  if (authHeader && authHeader.startsWith('Bearer ')) {
    req.token = authHeader.slice(7); // Remove "Bearer " prefix
  }
  next();
}

Signing Algorithms

  • HS256 (HMAC-SHA256): Symmetric — same secret key signs and verifies. Simple but requires sharing the secret with all verifiers.
  • RS256 (RSA-SHA256): Asymmetric — private key signs, public key verifies. Ideal when multiple services need to verify tokens without having the signing key.
  • ES256 (ECDSA-SHA256): Asymmetric with smaller keys than RSA. Faster verification and shorter signatures. Increasingly popular for new systems.
  • EdDSA (Ed25519): Modern asymmetric algorithm. Fastest verification, smallest signatures, and strong security properties.

Security Best Practices

  • Always validate the signature — never trust a JWT payload without verification.
  • Check the exp claim — reject expired tokens.
  • Validate iss and aud claims — ensure the token was issued by your auth server for your application.
  • Never store sensitive data in the payload — JWTs are encoded, not encrypted. Anyone with the token can read the payload.
  • Use short expiration times (15 minutes for access tokens) with refresh token rotation.
  • Never use the "alg": "none" algorithm in production — it disables signature verification.

Frequently Asked Questions

Is it safe to decode a JWT in the browser?

Yes, decoding (reading the contents) is perfectly safe and is done entirely client-side. JWT payloads are only Base64URL-encoded, not encrypted — anyone who has the token can read its contents. The security of a JWT comes from its signature, which proves the token hasn't been tampered with. This tool decodes tokens in your browser without sending any data to a server. However, you should never paste tokens from production systems into untrusted online tools.

What is the difference between JWT encoding and encryption?

Standard JWTs (JWS — JSON Web Signature) are signed but not encrypted. The payload is Base64URL-encoded, which is a reversible encoding — not encryption. Anyone with the token can decode and read the payload. If you need encrypted tokens, use JWE (JSON Web Encryption), which encrypts the payload so only the intended recipient can read it. In practice, most systems use signed JWTs and simply avoid putting sensitive data in the payload.

How do I handle JWT expiration in a single-page application?

The standard approach is to use short-lived access tokens (15-60 minutes) paired with longer-lived refresh tokens. When the access token expires, silently request a new one using the refresh token. Implement this by: 1) Checking the exp claim before each API call, 2) If expired or about to expire, call your refresh endpoint, 3) Retry the original request with the new token. Libraries like axios-auth-refresh automate this pattern. Store refresh tokens in httpOnly cookies for security.

What does "invalid signature" mean when decoding a JWT?

An "invalid signature" error means the token's signature doesn't match what the verification key produces. Common causes: 1) Using the wrong secret or public key to verify, 2) The token was tampered with (payload modified after signing), 3) Using the wrong algorithm (e.g., trying to verify an RS256 token with an HS256 secret), 4) The token was issued by a different auth server than expected. Always ensure your verification key matches the issuer's signing key.

Should I store JWTs in localStorage or cookies?

Neither option is perfect — each has tradeoffs. localStorage is vulnerable to XSS attacks (malicious scripts can read the token), while cookies are vulnerable to CSRF attacks. The recommended approach is: store access tokens in memory (JavaScript variable) for the shortest exposure, and store refresh tokens in httpOnly, Secure, SameSite=Strict cookies where JavaScript cannot access them. This protects against both XSS and CSRF while maintaining a good user experience.

Related Tools

Free Chrome extensions from Ataiva that pair well with this tool:

Explore More Free Tools

🔧

Aspect Ratio Calculator

Calculate width, height, or ratio. Solve any one from the other two. 16:9, 4:3, 21:9, 9:16, 1:1, custom. Free, runs in your browser.

🔧

BPM to Milliseconds Calculator

Convert BPM to delay times in milliseconds. Whole, half, quarter, 1/8, 1/16, 1/32 notes plus dotted and triplet variants. Free tempo-sync calculator for producers.

🔧

Chmod Calculator

Convert chmod permissions between octal (e.g. 755) and symbolic (rwxr-xr-x) form. Toggle read/write/execute checkboxes for owner, group, and other. Free, runs in your browser.

🔧

Color Contrast Checker

Check color contrast for WCAG AA and AAA compliance. Live preview, hex and rgb support, instant pass/fail across 5 levels. Free, in-browser.

🔧

Cron Expression Explainer

Paste a cron expression, get a plain-English explanation plus the next 5 run times. Handles macros (@daily, @hourly), ranges, and steps. Free, in-browser.

🔧

CSV to Markdown Table

Paste CSV (or TSV), get a clean GitHub-flavored Markdown table. Auto column alignment, header detection, custom delimiters. Free, in-browser.

🔧

Cubic Bezier Generator

Visual editor for CSS cubic-bezier() easing curves. Drag the control handles, see the live animation, copy the CSS. Free, in-browser.

🔧

Env to JSON Converter

Convert .env files to JSON instantly. Handles quoted values, comments, escape sequences, and type coercion. Free, runs in your browser, no signup.

🔧

HTML Entity Encoder & Decoder

Encode and decode HTML entities — minimal, named, numeric, or hex. Handles &amp;, &lt;, &gt;, accented characters, em dash, smart quotes. Free, browser-based.

🔧

HTTP Status Code Lookup

Searchable reference for every HTTP status code. 1xx, 2xx, 3xx, 4xx, 5xx, plus Cloudflare 5xx codes. Free, instant lookup, runs in your browser.

🔧

JSON Diff

Compare two JSON values semantically. Shows added, removed, and changed keys with the exact path. Free, runs in your browser.

🔧

JSON to Go Struct Generator

Convert JSON to idiomatic Go structs with json tags, time.Time detection, omitempty support. Free, in-browser.

🔧

JSON to TypeScript Interface Generator

Paste JSON, get TypeScript interfaces. Handles nested objects, arrays, unions, optional fields. No signup, runs in your browser.

🔧

Lorem Ipsum Generator

Generate placeholder text. Classic Lorem Ipsum, hipster, corporate, and dev variants. Words, sentences, paragraphs, lists. Free, in-browser.

🔧

Markdown to HTML Converter

Convert Markdown to HTML with live preview. Headings, lists, code blocks, links, images, blockquotes. Free, in-browser.

🔧

Number Base Converter

Convert numbers between binary, octal, decimal, hex, and any base from 2 to 36. BigInt-safe for large values. Free, in-browser.

🔧

Slugify Text

Generate URL-safe slugs from any text. Handles accents, Unicode, stop words, custom separators, length limits. Free, in-browser.

🔧

Text Case Converter

Convert text to camelCase, snake_case, kebab-case, PascalCase, CONSTANT_CASE, Title Case, and 7 more. Free, instant, in-browser.

🔧

YAML Validator

Validate YAML syntax, find duplicate keys, indentation issues, tabs in indent, and trailing whitespace. JSON preview included.

🔧

Cron Expression Generator

Generate and validate cron expressions with a visual builder. See next execution times, human-readable descriptions, and common presets. Free online crontab generator for developers.

🔧

Regex Tester

Test regular expressions with real-time matching and highlighting. Supports JavaScript regex flags (g, i, m, s). See match groups, captures, and indices. Free online regex tester.

🔧

Unix Timestamp Converter

Convert Unix timestamps to human-readable dates and vice versa. Supports seconds and milliseconds. Shows current epoch time live. Free online tool for developers.

🔧

UUID Generator

Generate random UUIDs (v4), time-based UUIDs (v7), and ULIDs instantly. Bulk generate up to 100 at once. Free online UUID generator for developers — no signup required.

🔧

Base64 Encoder & Decoder

Encode text to Base64 or decode Base64 back to plain text instantly. Free online Base64 converter with file support and batch processing. No registration required.

🎨

Color Palette Generator

Generate beautiful color palettes instantly. Create complementary, analogous, triadic, and monochromatic color schemes for web design, branding, and creative projects.

📝

JSON Formatter & Validator

Format, validate, and beautify JSON data instantly with our free online JSON formatter. Supports minification, syntax highlighting, and error detection. No registration required.

🔧

JSON to YAML Converter

Convert JSON to YAML and YAML to JSON instantly with our free online converter. Supports validation, formatting, and syntax highlighting. No registration required.

🔑

Password Generator

Generate strong, secure passwords instantly with our free password generator. Customize length, character types, and complexity. No registration required, privacy-focused.

📊

Percentage Calculator

Calculate percentages, percentage increases/decreases, and compare values instantly. Free online percentage calculator with multiple calculation types and detailed results.

🔧

SEO Meta Tag Generator

Generate SEO-optimized meta tags instantly. Create title tags, meta descriptions, Open Graph tags, and Twitter Cards for better search engine visibility.

🔧

Subnet Calculator

Plan IPv4 subnets visually. Enter a CIDR block, split it, see network/broadcast/host counts. Free, runs in your browser.

🔧

Tools Sitemap

Complete list of all free developer tools available on Ataiva. Find password generators, JSON formatters, converters, and more utilities for developers.

📏

Unit Converter

Convert between various units such as length, weight, temperature, and more.

📄

Word Counter & Text Analyzer

Count words, characters, sentences, and paragraphs instantly. Analyze readability, text complexity, and writing style with our text analyzer.