JWT Decoder: How to Read and Verify JSON Web Tokens

By /
Quick Answer

JSON Web Tokens (JWTs) are everywhere in modern web applications. They power authentication in REST APIs, single sign-on systems, and OAuth flows. But if you've ever received a JWT and wondered what's actually inside it, this guide will show you…

JSON Web Tokens (JWTs) are everywhere in modern web applications. They power authentication in REST APIs, single sign-on systems, and OAuth flows. But if you’ve ever received a JWT and wondered what’s actually inside it, this guide will show you exactly how to decode, read, and verify JWT tokens.

What Is a JWT Token?

A JWT (pronounced “jot”) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature. The result looks like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The Three Parts of a JWT

1. Header

The header contains metadata about the token, primarily the signing algorithm. Common values are HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), and ES256 (ECDSA with SHA-256). The header also includes the token type, always JWT.

2. Payload (Claims)

The payload contains the actual data — called “claims” — that the token carries. Standard claims include:

  • iss (Issuer): Who created the token
  • sub (Subject): Who the token is about (usually a user ID)
  • aud (Audience): Who the token is intended for
  • exp (Expiration): When the token expires (Unix timestamp)
  • iat (Issued At): When the token was created
  • nbf (Not Before): Token is invalid before this time

3. Signature

The signature verifies that the token hasn’t been tampered with. It’s created by encoding the header and payload with the signing key. Anyone can read a JWT without the secret key, but only the issuer can create a valid signature.

How to Decode a JWT Without a Library

Since the header and payload are just Base64URL-encoded JSON, you can decode them without any special tools. Use our online JWT decoder to instantly view the contents of any token.

In JavaScript: JSON.parse(atob(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')))

In Python: import base64, json; json.loads(base64.b64decode(token.split('.')[1] + '=='))

Security Warning: Never Trust Without Verifying

Reading a JWT is not the same as verifying it. Anyone can base64-decode a JWT and see its contents. The only thing that makes a JWT trustworthy is a valid signature verified against the correct secret key. Never accept a JWT as authentic just because you can decode it — always verify the signature on your server.

Common JWT Issues and How to Debug Them

  • Token expired: Check the exp claim. If it’s in the past, the token is invalid.
  • Wrong audience: The aud claim must match your application’s expected audience.
  • Algorithm mismatch: Your verification code must use the same algorithm as the header specifies.
  • “alg: none” attack: Never accept tokens with "alg": "none" — this is a known attack vector.

Conclusion

JWTs are a powerful, standardized way to transmit claims between parties. Understanding how to decode and inspect them makes debugging authentication issues dramatically easier. Remember that decoding is different from verification — always verify on the server side before trusting a token’s claims.

See Also

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top