How to Decode JWT Tokens
Need to inspect a JWT token? Learn what JWTs are, how they work, and how to decode them instantly with our free online JWT decoder.
JSON Web Tokens (JWT) are the industry standard for authentication in modern web applications. If you're a developer, you've almost certainly worked with JWTs — they're used in OAuth, API authentication, single sign-on (SSO), and session management across millions of applications.
But what's actually inside a JWT? How do you debug authentication issues? In this guide, we'll break down JWT structure, explain common claims, and show you how to decode JWT tokens instantly using ToolMix's free JWT Decoder.
What Is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe means of representing claims between two parties. It consists of three parts separated by dots: header.payload.signature. Each part is Base64URL-encoded JSON.
JWT Structure Explained
Header
The header typically contains the token type ("JWT") and the signing algorithm being used, such as HMAC SHA256 (HS256) or RSA SHA256 (RS256).
{
"alg": "HS256",
"typ": "JWT"
}Payload
The payload contains claims — statements about the user and additional metadata. There are three types of claims: registered (standard), public, and private claims.
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Signature
The signature verifies the token hasn't been tampered with. It's created by combining the encoded header, encoded payload, a secret key, and the specified algorithm.
How to Decode a JWT Token (Step-by-Step)
Step 1: Open the JWT Decoder
Visit ToolMix's free JWT Decoder. It runs entirely in your browser — no data is ever sent to any server.
Step 2: Paste Your JWT
Paste the complete JWT token (the long string with two dots) into the input field.
Step 3: View the Decoded Parts
The decoder instantly displays the decoded header, payload, and signature information. Timestamps are converted to human-readable dates, and the tool shows whether the token has expired.
🔑 Try our free JWT Decoder
Try it freeCommon JWT Claims
- •iss (Issuer) — Who created and signed the token
- •sub (Subject) — The user or entity the token represents (usually a user ID)
- •exp (Expiration) — When the token expires (Unix timestamp)
- •iat (Issued At) — When the token was created
- •aud (Audience) — The intended recipient of the token
- •nbf (Not Before) — Token is not valid before this time
- •jti (JWT ID) — Unique identifier for the token
JWT Security Best Practices
- •Always verify signatures server-side — Never trust a JWT without verification
- •Set short expiration times — Use short-lived access tokens (15-60 minutes)
- •Use HTTPS — Always transmit JWTs over encrypted connections
- •Don't store sensitive data in the payload — The payload is only encoded, not encrypted
- •Validate all claims — Check issuer, audience, and expiration on every request
Frequently Asked Questions
Frequently Asked Questions
Is it safe to decode JWTs online?
ToolMix's JWT Decoder processes everything in your browser. However, avoid pasting production tokens with sensitive data into any online tool.
Does this tool verify JWT signatures?
No, it only decodes and displays the token contents. Signature verification requires the secret key, which should never be shared publicly.
Can I decode expired JWT tokens?
Yes. The decoder works on any valid JWT structure regardless of expiration. It will show you the expiration timestamp so you can see when it expired.