Developer Tools5 min read4 March 2026

JWT Tokens Explained: How to Decode and Inspect JWTs Online

Understand JSON Web Tokens — their structure, how they work, what claims mean, and how to safely decode and inspect JWTs without a library.

What is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. JWTs are most commonly used for authentication and authorization in web applications and APIs.

When a user logs in, the server issues a JWT. The client stores it and sends it with every subsequent request in the Authorization: Bearer <token> header. The server verifies the token without needing to query a database.

JWT Structure

A JWT consists of three Base64URL-encoded parts separated by dots:

header.payload.signature
  • Header — specifies the token type (JWT) and signing algorithm (e.g., HS256, RS256)
  • Payload — contains claims: statements about the user and additional metadata
  • Signature — verifies the token hasn't been tampered with; computed from header + payload + secret key

Standard JWT Claims

  • iss (issuer) — who issued the token
  • sub (subject) — who the token refers to (typically a user ID)
  • aud (audience) — who the token is intended for
  • exp (expiration time) — Unix timestamp after which the token is invalid
  • iat (issued at) — Unix timestamp when the token was issued
  • nbf (not before) — token is invalid before this timestamp
  • jti (JWT ID) — unique identifier for the token

JWT Security Considerations

  • Never store sensitive data in the payload — the payload is Base64-encoded, not encrypted. Anyone who has the token can decode and read the payload.
  • Always verify the signature server-side — decoding the payload without verifying the signature is a security vulnerability.
  • Use short expiration times — a leaked token is valid until it expires. Keep exp short (15–60 minutes for access tokens).
  • Use HTTPS — tokens intercepted over plain HTTP can be reused by attackers.
  • Beware the "alg: none" attack — never accept JWTs with alg: none; always enforce the expected algorithm.

Decoding vs Verifying

Decoding a JWT simply reads the Base64URL-encoded header and payload — no secret key needed. This is useful for debugging. Verifying a JWT checks the signature against the secret key to confirm the token is authentic and untampered. Our tool decodes JWTs for inspection; your server must always verify.

Using the ToolsPal JWT Decoder

  1. Paste your JWT token into the input field
  2. The header and payload are decoded and displayed as formatted JSON immediately
  3. Expiry time is shown in human-readable format

Free Online Tool

Try JWT Decoder

Decode and inspect JWT tokens without a secret.

Open Tool →

Related Articles

JSON Formatter Online: Format, Validate & Beautify JSON

5 min read

Base64 Encoding Explained: How to Encode & Decode Online

4 min read

URL Encoding Guide: What It Is and How to Encode URLs Online

4 min read