How to Decode a JWT Token

JSON Web Tokens (JWTs) are everywhere in modern web development. Whether you are debugging an API, inspecting an authentication flow, or learning how OAuth works, knowing how to decode a JWT is a fundamental skill.

What Is a JWT?

A JSON Web Token is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and authorization in web applications. When a user logs in, the server generates a JWT that the client includes in subsequent requests to prove identity.

The token itself is not encrypted — it is simply encoded. This means anyone can decode a JWT to read its contents. The security comes from the signature, which verifies that the token was issued by a trusted server and has not been tampered with.

JWT Structure

A JWT consists of three parts separated by dots:

header.payload.signature
  • HeaderContains metadata about the token, such as the signing algorithm (e.g., HS256, RS256) and the token type. Typically looks like:{"alg":"HS256","typ":"JWT"}
  • PayloadContains the claims — statements about the user or entity and additional data. Common claims include sub (subject), iat (issued at), and exp (expiration time).
  • SignatureVerifies that the sender is who it claims to be and ensures the message was not changed along the way. It is created by hashing the encoded header and payload with a secret key.

How to Decode a JWT Step by Step

The quickest way to decode a JWT is with an online decoder. Here is how:

  1. 1Copy the JWT. Find the token in your browser dev tools (under Network or Application tabs), API response, or authorization header. Select the full token string between the Bearer prefix and the end of the header value.
  2. 2Paste it into the decoder. Use the ToolStack JWT Decoder and paste the token into the input field.
  3. 3Read the results. The decoder will display the header, payload, and signature in a readable format. You can inspect all claims, check expiration times, and see the algorithm used.

Try It: Decode a JWT Online

Use our free, client-side JWT Decoder to inspect any token instantly. Your data never leaves your browser.

Open JWT Decoder

Security Considerations

  • JWTs are not encrypted. Anyone can decode the payload. Never store sensitive data (passwords, API keys) in a JWT payload.
  • Verify the signature.Decoding a token only shows you its contents — it does not verify authenticity. Use a proper verification step on the server side.
  • Check expiration. Always verify the exp claim before trusting a token. Expired tokens should be rejected.
  • Use HTTPS. Always transmit JWTs over HTTPS to prevent interception and replay attacks.

Related Tools