JSON Web Token (JWT) Decoder
Decode and display the three components (header, payload, signature) of a JWT token.
Input
Result
JSON Web Token (JWT) Decoder
The JSON Web Token (JWT) Decoder is a developer utility designed to parse JSON Web Tokens and extract their encoded header and payload data blocks. JWTs serve as a standard compact method for transmitting secure claims between web clients and servers. This tool automates the Base64URL decoding process, preventing coding errors. Developers paste a raw token string, and the decoder engine parses the parameters, formatting the internal JSON objects instantly.
JWT Structure Explained
A JSON Web Token consists of three segments separated by periods (.): the header, the payload, and the signature. The header defines the token type and cryptographic signing algorithm (e.g. HS256). The payload contains the claims, representing statements about the user and additional metadata (e.g. user ID, expiration timestamp). The signature verifies that the token was not tampered with, using a secret server key.
According to secure web development guidelines, there are 4 distinct structural properties that govern token decoding. First, the token string must contain exactly two period characters separating the three blocks. Second, the header and payload blocks represent Base64URL-encoded strings that do not require a secret key to read. Third, the signature block is cryptographic and cannot be reversed back to a secret key. Fourth, claim parameters like expiration (exp) and issued-at (iat) represent Unix epoch timestamps that require calendar date formatting. Parsing tools process these properties to output readable claim summaries.
The History of Web Authentication
In early web applications, session authentication relied on stateful cookies stored on servers. When a user logged in, the server created a session ID in its database and set a cookie in the user's browser, which required constant database queries to verify permissions. In 2015, the Internet Engineering Task Force (IETF) standardized JSON Web Tokens in RFC 7519, introducing stateless token-based authentication. JWTs allowed servers to embed user permissions directly inside the token, eliminating database queries and introducing scalable authentication across modern cloud networks and microservices.
How the JWT Decoder Works
To decode a token, paste the JWT string and execute the decoding. The parsing engine processes the token through a 3-step sequence.
- Token Splitting: The engine validates the token layout, splitting the string using the period character. It flags formatting errors if the count of segments is incorrect.
- Base64URL Decoding:
- The engine replaces URL-safe Base64 characters (hyphens and underscores) with standard Base64 characters (pluses and slashes).
- It decodes the header and payload segments into UTF-8 JSON strings.
- Data Formatting: The engine parses the JSON strings, formatting them with proper indentation spacing, and translates numeric epoch timestamps into calendar dates.
For example, decoding a standard authentication token extracts user IDs and displays the exact date the token expires. The tool displays this result instantly, ready for inspection.
JWT Claims Reference Table
The table below displays common registered claims found in JWT payloads.
| Claim Key | Official Claim Name | Data Type | Payload Example | Operational Purpose |
|---|---|---|---|---|
| sub | Subject | String | "1234567890" | Identifies the user or system profile associated with the token |
| iss | Issuer | String | "https://auth.example.com" | Identifies the authorization server that issued the token |
| iat | Issued At | Number (Timestamp) | 1516239022 | Records the exact time the token was created for audit logs |
| exp | Expiration Time | Number (Timestamp) | 1816239022 | Defines the exact time the token ceases to be valid for access |
| aud | Audience | String / Array | "admin-portal" | Identifies the target systems that accept this token |
Frequently Asked Questions
Does this decoder verify the token signature?
No, this decoder parses the public base64url data and does not perform signature verification checks. Verifying a token signature requires the secret cryptographic key used to create the token.
Are my tokens sent to a server when decoding?
No, the decoding occurs locally in your browser memory, ensuring that sensitive token claims remain private. This prevents exposing user data to external networks.
Why does my token contain a signature?
The signature is critical to prove the token's authenticity. Without it, clients could modify their permissions (e.g. changing role from 'user' to 'admin') and bypass security controls.
Inspect Your Authentication Tokens Instantly
Manual base64 decoding of multi-segment tokens is tedious and prone to formatting errors. The JSON Web Token (JWT) Decoder provides reliable, instant claim formatting. Use this tool to verify token values, debug API headers, and check security claims easily.