Menu
Coddy logo textTools
English

JWT Decoder

Dissect and verify JSON Web Tokens payload-by-payload.

Last updated

Algorithm
EncodedPaste a JSON Web Token
Decoded
Header and payload appear here — tokens never leave your browser.

What is a JWT decoder?

A JWT decoder splits a JSON Web Token into its three parts — header, payload, and signature — and Base64URL-decodes the first two so you can read them as JSON. Developers use it constantly while debugging login flows, authorization, session claims, and token expiration problems.

Decoding a JWT is *not* the same as trusting it. The header and payload are readable by design — they are only Base64URL-encoded, not encrypted. Verification is what checks whether the token was signed by the expected party and has not been tampered with.

A JWT looks like header.payload.signature. Each part is Base64URL-encoded, separated by dots. The header says which signing algorithm is used, the payload carries the claims (who the user is, when the token expires, what they're allowed to do), and the signature lets the server prove the token wasn't modified.

What you'll learn while decoding JWTs

  • A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature.
  • Common claims like sub, role, iat, nbf, and exp describe identity, permissions, issued time, and expiration time.
  • A decoded payload can be edited by anyone — only the signature lets a server detect tampering.

How to decode a JWT step by step

  1. Paste the full token

    Paste the JWT into the input box. It should look like xxxx.yyyy.zzzz — three Base64URL-encoded parts joined by dots.

  2. Read the header

    The header tells you the signing algorithm (alg) and token type. Watch out for "alg": "none" — that means the token is unsigned and can't be trusted.

  3. Read the payload claims

    The payload is the JSON with all the claims. Look for sub (user id), exp (expiration), iat (issued at), and any custom claims your app adds like role or tenant.

  4. Check expiration

    Convert the exp Unix timestamp to a date — if it's in the past, the token is expired and any well-behaved API will reject it.

  5. Verify the signature (optional)

    If you have the secret or public key, paste it into the verifier to confirm the signature is valid. The token's contents are only trustworthy when the signature checks out.

Standard JWT claims

These are the registered claims defined by the JWT spec (RFC 7519). Any application can add its own custom claims alongside them.

ClaimNameMeaning
issIssuerWho created and signed the token
subSubjectWho the token is about — usually a user id
audAudienceWho the token is intended for
expExpirationUnix timestamp after which the token is invalid
nbfNot BeforeToken must not be accepted before this time
iatIssued AtWhen the token was created
jtiJWT IDUnique identifier — useful for revocation
algAlgorithm (header)Signing algorithm: HS256, RS256, ES256, …

JWT examples to try

Inspect a typical JWT

Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJzdHVkZW50IiwiZXhwIjoxNzEwMDAwMDAwfQ.Q3hH8yzqI2OsHJ1Lyj8jJfJPa5ZpIVlh1FhJpJbqMcs

Header
{  "alg": "HS256",  "typ": "JWT"}
Payload
{  "sub": "user_123",  "role": "student",  "exp": 1710000000}

The header says HS256 (a shared-secret algorithm). The payload identifies the user, their role, and when the token expires. The signature is the third part. (This is a sample token for demonstration — the signature won't verify against any real secret.)

Check whether a token is expired

Payload claim
{  "exp": 1710000000}

exp is a Unix timestamp in seconds. Convert it to a date — if it is in the past, the token is expired and a correct backend will reject it.

Spot a dangerous "none" algorithm

Header
{  "alg": "none",  "typ": "JWT"}

If a server accepts "alg": "none", an attacker can forge any payload without a signature. Always reject this header in production.

Common JWT mistakes

  • Putting passwords, secrets, or sensitive personal data into the payload. JWTs are readable, not encrypted.
  • Decoding a token and assuming it is valid without checking the signature.
  • Confusing Base64URL readability with encryption — JWT payloads are easy to read on purpose.

JWT FAQ

What is JWT?
JWT stands for JSON Web Token. It is a compact, signed, URL-safe token format used to carry claims between two parties — most often between a server and a browser to represent a logged-in user.
How do I decode a JWT?
Paste the token into a JWT decoder, or split it on the dots and Base64URL-decode each of the first two parts. The header and payload come back as JSON; the third part is the signature.
How do I check if a JWT is expired?
Look at the exp claim in the payload. It is a Unix timestamp in seconds. If the current time is past exp, the token is expired.
Can anyone decode a JWT?
Yes. The header and payload are Base64URL-encoded, not encrypted. The signature only proves the token has not been tampered with — it does not hide the contents.
What does JWT verification mean?
Verification recomputes the signature using the expected secret or public key and compares it to the signature on the token. If they match, the payload is trustworthy and unmodified.
Should I store passwords in a JWT?
No. Anyone with the token can read the payload. Store only non-sensitive identifiers and claims, and rely on short expirations plus refresh tokens for security.

Learn more

Other developer tools

Password Generator

Generate strong, random passwords with tunable character classes.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly.

Learn to code with Coddy

GET STARTED