What Is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is a compact, URL-safe token format standardized in RFC 7519. Every JWT consists of three Base64url-encoded segments separated by dots: a header, a payload, and a signature. The header identifies the signing algorithm (typically HS256 or RS256) and the token type. The jwt payload carries claims — structured assertions about a subject — such as user identity, roles, or permissions. The signature allows the receiving party to verify that the header and payload have not been tampered with.
JWT claims fall into three categories. Registered claims are predefined keys with standardized meanings: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Public claims are defined in the IANA JWT Claims Registry or using collision-resistant names. Private claims are arbitrary application-specific data agreed upon by the parties exchanging the token.
JWTs are most commonly used as bearer tokens in OAuth 2.0 and OpenID Connect flows, as API tokens passed in the Authorization: Bearer header, and as short-lived session credentials in single-page applications. Because the jwt decoder can read any JWT client-side, you can inspect claims, check expiration, and debug authentication issues without any backend calls.
How to Decode a JWT Online
Decoding a JWT means splitting the token on the two dot separators and Base64url-decoding each segment. The header and json web token payload are standard JSON objects, so any decoder can display them as formatted, human-readable text. The third segment — the signature — is raw binary and is shown as a hex or Base64url string; verifying it requires the original secret or public key.
This tool decodes the header and payload immediately as you paste the token. The exp and iat fields are unix timestamps; the tool renders them as readable dates alongside the raw numbers so you can tell at a glance whether the token is still valid. No data leaves your browser at any point.
How to Decode and Inspect a JWT Token Online
- 1Paste your JWT. Copy the full JWT string (header.payload.signature) into the input field. The token typically starts with eyJ, which is the Base64url encoding of '{"'.
- 2Inspect the payload. The tool decodes and displays the header and payload as formatted JSON. You can read every claim — subject, issuer, audience, roles, and any custom fields — without writing a single line of code.
- 3Check expiration. The decoded view highlights the exp and iat timestamps in human-readable dates. If exp is in the past, the token is expired and will be rejected by any compliant server.
▶Code Examples
▶JavaScript / TypeScript
// Decode JWT payload in the browser (no library needed)
function decodeJwtPayload(token: string): Record<string, unknown> {
const base64Url = token.split('.')[1];
const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
const json = atob(base64);
return JSON.parse(json);
}
const payload = decodeJwtPayload('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c');
console.log(payload.sub); // "1234567890"
console.log(new Date(payload.iat * 1000).toISOString());▶Python
# Option A: manual Base64url decode (no dependencies)
import base64, json
def decode_jwt_payload(token: str) -> dict:
payload_b64 = token.split('.')[1]
# Add padding if necessary
payload_b64 += '=' * (-len(payload_b64) % 4)
return json.loads(base64.urlsafe_b64decode(payload_b64))
# Option B: PyJWT (pip install PyJWT) — also verifies signature
import jwt
payload = jwt.decode(
token,
key="your-secret",
algorithms=["HS256"],
)
print(payload["sub"])▶Go
package main
import (
"encoding/base64"
"encoding/json"
"fmt"
"strings"
// github.com/golang-jwt/jwt/v5
jwtlib "github.com/golang-jwt/jwt/v5"
)
// Manual decode (no verification)
func decodePayload(token string) (map[string]interface{}, error) {
parts := strings.Split(token, ".")
if len(parts) != 3 {
return nil, fmt.Errorf("invalid jwt")
}
b, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
var claims map[string]interface{}
return claims, json.Unmarshal(b, &claims)
}
// Verified decode with golang-jwt
func verifiedDecode(tokenStr, secret string) (jwtlib.MapClaims, error) {
token, err := jwtlib.Parse(tokenStr, func(t *jwtlib.Token) (interface{}, error) {
return []byte(secret), nil
})
if err != nil {
return nil, err
}
return token.Claims.(jwtlib.MapClaims), nil
}▶Bash
#!/usr/bin/env bash
# Decode the JWT payload (requires jq for pretty output)
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
# Extract the payload segment (second part)
PAYLOAD=$(echo "$TOKEN" | cut -d'.' -f2)
# Base64url -> Base64: replace - with + and _ with /
# Add padding so base64 --decode is happy
PADDED="${PAYLOAD}=="
echo "$PADDED" | tr -- '-_' '+/' | base64 --decode | jq .
# Check expiration directly
EXP=$(echo "$PADDED" | tr -- '-_' '+/' | base64 --decode | jq -r '.exp')
NOW=$(date +%s)
if [ "$EXP" -lt "$NOW" ]; then echo "Token is expired"; else echo "Token is valid"; fi▶Frequently Asked Questions
▶What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and type), a payload (claims), and a signature.
▶Is it safe to decode JWT tokens online?
Yes, when using a client-side decoder like this one. All decoding happens in your browser — the token is never uploaded to any server.
▶Can this tool verify JWT signatures?
This tool decodes and displays the JWT header and payload. Signature verification requires the signing secret or public key, which this client-side tool does not perform to avoid exposing your keys.
▶How do I check if a JWT is expired?
After decoding, look at the 'exp' (expiration) claim in the payload. It is a Unix timestamp. Compare it with the current time — if 'exp' is in the past, the token has expired.