Skip to main content
K
KnowKit

Debugging an API and see a long token starting with eyJ?

That's a JWT — decode it to see what data it carries (no, it's not encrypted).

JWT Decoder

Decode and inspect JSON Web Token headers and payloads

Understanding JWT Tokens

JSON Web Tokens (JWTs) are the backbone of modern web authentication. When you log in to a website, the server issues a compact, URL-safe token composed of three Base64URL-encoded segments: a header specifying the signing algorithm, a payload containing claims like user ID and expiration, and a cryptographic signature that prevents tampering. This tool decodes the header and payload so you can inspect the contents without needing any server-side keys.

JWT Structure and Security

A JWT is divided into three parts separated by dots: Header (algorithm and token type), Payload (claims and user data), and Signature (cryptographic proof). The header and payload are Base64URL-encoded JSON, which means anyone can decode them — the security comes from the signature, which only someone with the secret key can produce. This tool decodes the first two parts for inspection and debugging.

Common Mistakes

  • Treating decoded JWT payload as verified data — decoding is not the same as verifying the signature
  • Storing sensitive data like passwords in JWT payloads — the payload is just Base64-encoded, not encrypted
  • Ignoring token expiration — expired tokens should always be rejected by the server

Pro Tips

  • Use short expiration times (15-30 minutes) for access tokens and longer times for refresh tokens
  • Always validate the algorithm in the header matches what your server expects to prevent algorithm confusion attacks
  • Use RS256 (asymmetric) instead of HS256 (symmetric) when multiple services need to verify tokens

Real-World Examples

Single Sign-On (SSO)

Google, Microsoft, and Auth0 issue JWTs for OAuth 2.0 / OpenID Connect flows

API authentication

Include JWT in the Authorization header as a Bearer token for REST API requests

Debugging auth issues

Decode a JWT to check if the right claims and expiration are set correctly

Want to learn more?

JSON & Data Formats

Read Full Guide
On this page

About JWT Decoder

What is a JWT?

A JWT (JSON Web Token) is how most modern web apps handle logins. When you sign in, the server gives your browser a compact token. Your browser sends that token back with every request, and the server uses it to verify who you are — no session database needed.

Google, Microsoft, Auth0, and pretty much every OAuth 2.0 / OpenID Connect flow issues JWTs. If you've ever seen a long string with two dots in it in a network request, that was a JWT.

This tool decodes the header and payload so you can see what's inside. It's handy for debugging auth issues, checking which claims a token carries, or confirming the right data got encoded.

JWT Structure

A JWT is three Base64URL-encoded segments joined by dots: header, payload, signature.

Header

Tells you how the token was signed. Usually contains alg(the algorithm, like HS256 or RS256) and typ (always "JWT").

Payload

This is where the actual data lives. Standard claims includeiss (who issued it), sub (the user ID),aud (intended audience), exp (expiration),nbf (not-before time), and iat (issued-at time). Apps can also add custom claims for roles, permissions, or anything else they need.

Signature

The server creates this by hashing the encoded header + payload with a secret (HMAC) or private key (RSA/ECDSA). The receiving server uses the matching key to confirm the token hasn't been tampered with. This tool doesn't verify signatures — that requires the signing key, which is different for every application.

How to Use This Tool

Paste a JWT into the input box. The header and payload decode instantly as you type, rendered as highlighted JSON. Time-based claims (iat, exp, nbf) convert to human-readable dates. If the token is expired, a red warning appears.

Copy buttons let you grab the decoded header or payload as formatted JSON. The signature segment is shown but not verified — see the FAQ for why.

This utility is provided for informational purposes only. KnowKit is not responsible for any errors in the output.

Explore more about Data & Code

You might also like

JSON FormatterBase64Hash GeneratorURL Parser

Frequently Asked Questions

Is my JWT token sent to a server?

No. Decoding happens in your browser using atob() and JSON.parse(). No network requests are made.

Why doesn't this tool verify the signature?

Verification needs the secret or public key used to sign the token. That key is application-specific and shouldn't be shared. This tool is for inspection and debugging, not authenticity checks. For verification, use a server-side library like jsonwebtoken (Node.js) or PyJWT (Python) with your app's signing key.

What do the registered claims mean?

iss — issuer. sub — subject (usually user ID). aud — intended audience. exp — expiration time. nbf — not-before time. iat — issued-at time. jti — unique token ID, used to prevent replay attacks.

Can I decode tokens signed with any algorithm?

Yes. The header and payload are just Base64URL-encoded JSON. They decode the same way regardless of the signing algorithm. The algorithm only affects the signature, which this tool shows but can't verify.

What does it mean if a token is expired?

The current time has passed the token's exp claim. The issuing server will reject it, and the client will need to refresh or re-authenticate.