What is a JWT token?
A JWT (JSON Web Token) is a compact, self-contained way to transmit information securely between parties. It is commonly used for authentication and authorization in web applications. A JWT consists of three parts separated by dots: the header (which specifies the algorithm), the payload (which contains the actual claims or user data), and the signature (which verifies that the token has not been tampered with).
JWTs are stateless, meaning the server does not need to store session data to validate them. When a user logs in, the server creates a JWT and sends it to the client. The client includes this token in subsequent requests, and the server can verify the token's authenticity by checking the signature without querying a database. This makes JWTs efficient for scaling applications, as each server can independently verify tokens.
JWTs are widely used in modern web applications, especially in APIs and microservices architectures. They are part of the OAuth 2.0 and OpenID Connect standards, making them the de facto standard for authentication tokens across the internet. Popular platforms like Google, GitHub, and Auth0 use JWTs to manage user sessions and permissions.
When should you use the JWT Decoder?
Use the JWT Decoder when you receive an authentication token and need to inspect its contents. Developers commonly receive JWTs in API responses after login. By decoding the token, you can verify that the correct user information, permissions, and expiration date are embedded in the token without needing to check a database.
Backend developers use the JWT Decoder to troubleshoot authentication issues. If a user is getting denied access or experiencing permission problems, you can decode their JWT to see what roles or claims are assigned to their account, which helps identify configuration errors or permission conflicts.
Security engineers use the JWT Decoder to audit tokens and ensure they contain expected data. By regularly decoding JWTs in your system, you can verify that no sensitive data is being exposed, tokens expire at appropriate times, and user permissions are correctly assigned.
Frontend developers use this tool to debug authentication flows. When integrating login systems or third-party authentication providers (like Google or GitHub), decoding the JWT helps confirm that user data is being received and stored correctly.
Token validation and testing: Use the decoder to verify that tokens issued by your authentication server include all required claims. If you are writing tests for your auth system, decoding sample tokens helps confirm they are generated correctly.
How to use the JWT Decoder
Step 1: Copy your JWT from the Authorization header, response payload, or local storage where it is stored. A complete JWT looks like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U (three parts separated by dots).
Step 2: Paste the JWT into the decoder input field. The tool will immediately parse the three components (header, payload, and signature) and display them in readable JSON format.
Step 3: Review the Header section to see the algorithm used for signing (typically HS256, RS256, or similar). This tells you how the token was cryptographically signed.
Step 4: Examine the Payload section, which contains the claims (user data). This might include user ID, username, email, role, permissions, and the expiration time (exp claim). Verify that all expected fields are present and have correct values.
Step 5: Note the Signature section. The decoder displays the signature but cannot verify it without access to the signing key (this is intentional for security). If you have the signing key, you can use other tools or libraries to verify the signature authenticity.
Step 6: Check the expiration time. Look for the "exp" claim in the payload, which is a Unix timestamp indicating when the token expires. If the current time is after this timestamp, the token has expired and is no longer valid.
Common errors and how to fix them
Error: Invalid token format. Ensure the JWT contains exactly three parts separated by two dots. If it is missing a part or has extra dots, the decoder will reject it. The token should always follow the pattern: xxxxx.yyyyy.zzzzz. Copy the complete token from the source without cutting off characters.
Error: Token is not valid JSON. After the decoder parses the token, if the header or payload is not valid JSON, an error will appear. This usually indicates the token is corrupted or was not properly encoded. Check the source of the token and ensure you are copying the complete, unmodified JWT.
Error: Token expired. If you decode a token and see an "exp" claim with a timestamp in the past, the token has expired. The server will reject this token for authentication. You need to request a fresh token by logging in again or using a refresh token if your system provides one.
Error: Wrong signature algorithm. If you know the signing key but the signature does not verify, ensure you are using the correct algorithm (HS256, RS256, ES256, etc.). Different algorithms require different verification methods, and using the wrong one will fail.
Error: Signature tampering detected. If the signature does not match the header and payload, it means the token has been modified. This is a security red flag indicating either data corruption or a malicious attempt to forge a token. Do not trust tokens with invalid signatures.
Related tools
Hash Generator: Use this tool to generate cryptographic hashes for creating or verifying JWT signatures. Understand the different hash algorithms (MD5, SHA-256, SHA-512) that power JWT security.
Base64 Encoder/Decoder: JWTs use Base64 URL encoding for each component. If you need to manually encode or decode specific JWT parts, the Base64 tool can help.
JSON Formatter: If you need to prettify the payload or header of a decoded JWT for better readability, use the JSON Formatter to format it nicely.