ToolMix
ConvertersFebruary 15, 2026

JWT Decoder: Understanding JSON Web Tokens

JSON Web Tokens (JWTs) power modern authentication. Learn how to decode JWTs, read payload claims, and understand token structure with our free online tool.

jwtauthenticationsecurityweb development

JSON Web Tokens (JWTs) have become the standard for stateless authentication in modern web applications. But JWTs look like random strings to the untrained eye. Understanding how to decode and inspect them is essential for debugging authentication flows, validating token claims, and securing your applications.

This comprehensive guide explains what JWTs are, how they work, and how to decode them safely using ToolMix's free JWT decoder. You'll learn to read token payloads, verify expiration times, and troubleshoot authentication issues.

What Is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe token format used for securely transmitting information between parties. JWTs consist of three parts separated by dots (.): header, payload, and signature.

// JWT structure
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

// Three parts:
// 1. Header:    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
// 2. Payload:   eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
// 3. Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Structure Explained

Header

The header contains metadata about the token, typically the signing algorithm and token type:

{
  "alg": "HS256",  // Signing algorithm (HMAC SHA-256)
  "typ": "JWT"     // Token type
}

Payload

The payload contains claims — statements about the user and additional data:

{
  "sub": "1234567890",        // Subject (user ID)
  "name": "John Doe",         // Custom claim
  "iat": 1516239022,          // Issued at (timestamp)
  "exp": 1516242622,          // Expiration time
  "role": "admin"             // Custom claim
}

Signature

The signature verifies the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key.

Why Decode JWTs?

  • Debugging authentication — Verify that tokens contain the expected claims
  • Checking expiration — See when a token expires to troubleshoot timeouts
  • Understanding permissions — Inspect role/permission claims
  • API integration — Validate that third-party APIs send correct token data
  • Learning — Study real JWTs to understand token structure
  • Security audits — Review token contents during security assessments

How to Decode a JWT

Using ToolMix's JWT decoder is straightforward:

  • Step 1: Copy the JWT token from your application, API response, or browser storage
  • Step 2: Navigate to the JWT Decoder tool
  • Step 3: Paste the token into the input field
  • Step 4: View the decoded header, payload, and signature
  • Step 5: Inspect claims, expiration, and other metadata

🔓 Try our free JWT Decoder

Try it free

Standard JWT Claims

JWTs use registered claim names for common purposes:

  • iss (issuer) — Who created and signed the token
  • sub (subject) — Whom the token is about (usually a user ID)
  • aud (audience) — Who the token is intended for
  • exp (expiration) — When the token expires (Unix timestamp)
  • iat (issued at) — When the token was created
  • nbf (not before) — Token isn't valid before this time
  • jti (JWT ID) — Unique identifier for the token

Security Considerations

Important security facts about JWTs:

  • JWTs are signed, not encrypted — Anyone can decode and read the payload
  • Never store sensitive data in JWTs — Assume tokens can be decoded by anyone
  • Validate signatures on the server — Decoding shows content; validation proves authenticity
  • Avoid online decoders for production tokens — Use local tools for sensitive tokens
  • Check expiration — Always verify tokens haven't expired before using them
  • Use HTTPS — Transmit JWTs over secure connections only

Common JWT Algorithms

  • HS256 (HMAC SHA-256) — Symmetric algorithm using a shared secret
  • RS256 (RSA SHA-256) — Asymmetric algorithm using public/private key pairs
  • ES256 (ECDSA SHA-256) — Elliptic curve algorithm, more efficient than RSA
  • PS256 (RSA-PSS SHA-256) — RSA with probabilistic signature scheme
  • none — No signature (should never be accepted in production)

Best Practices for Using JWTs

  • Set short expiration times — Use refresh tokens for long-lived sessions
  • Include minimal data — Only put necessary claims in the payload
  • Use strong secrets — For HS256, use secrets at least 256 bits long
  • Validate on every request — Don't trust decoded tokens without signature verification
  • Implement token rotation — Refresh tokens before expiration
  • Store securely — Use httpOnly cookies or secure local storage

Frequently Asked Questions

Try the Tool

JWT Decoder

Decode and inspect JWT tokens

Base64 Encoder/Decoder

Encode and decode Base64 strings

JSON Formatter

Format, validate, and beautify JSON

Related Articles

Generators

How to Create a QR Code for Free

Converters

How to Format JSON Online

Generators

How to Generate a Strong Password

Ad Space (728x90)