JWT Tokens Explained: How to Decode JSON Web Tokens

JSON Web Tokens (JWTs) are everywhere in modern web development — auth headers, API responses, OAuth flows, and SSO systems all use them. This guide explains exactly what a JWT is, how to read its three parts, how to decode it safely, and how to generate your own.

Decode a JWT →Generate a JWT →

What Is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe token format defined in RFC 7519. It encodes a set of claims — statements about an entity (typically a user) and additional metadata — as a JSON object, then signs it so the recipient can verify its authenticity.

JWTs are most commonly used for authentication (proving who a user is after login) and authorization (determining what a user can access). They appear in the Authorization: Bearer <token> header of API requests.

The Three Parts of a JWT

A JWT is three Base64URL-encoded strings joined by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header (blue) — algorithm and token type. Decoded: {"alg":"HS256","typ":"JWT"}
Payload (green) — the claims. Decoded: {"sub":"1234567890","name":"John Doe","iat":1516239022}
Signature (yellow) — HMAC-SHA256 of header + payload using your secret. This cannot be decoded without the secret — but you can verify it if you know the secret.

How to Decode a JWT Token

Decoding a JWT reveals the header and payload — without needing the secret. This is useful for inspecting claims, checking expiration, debugging auth issues, and understanding what a token contains.

Important: Decoding ≠ verifying. Anyone can decode the payload of a JWT — it's just Base64URL encoding, not encryption. Verification (confirming the signature is valid) requires the secret or public key. Never trust the claims in a JWT without verifying the signature on the server.

Decode in JavaScript

function decodeJwt(token) { const [header, payload] = token.split('.'); const decode = (str) => JSON.parse( atob(str.replace(/-/g, '+').replace(/_/g, '/')) ); return { header: decode(header), payload: decode(payload), }; }

Or use DevKit's JWT decoder — paste any token and inspect the header, payload, expiration, and all claims instantly.

Standard JWT Claims

The JWT spec defines registered claim names with specific meanings:

Claim	Name	Description
sub	Subject	Who the token is about (user ID)
iss	Issuer	Who issued the token (your auth server)
aud	Audience	Who the token is intended for
exp	Expiration	Unix timestamp — after this, the token is invalid
iat	Issued At	Unix timestamp when the token was created
nbf	Not Before	Token not valid before this Unix timestamp
jti	JWT ID	Unique identifier for this token (prevents replay)

JWT Security Best Practices

Always verify the signature server-side. Never trust a decoded JWT payload without verifying the signature. A tampered token with a modified payload will fail signature verification.
Set short expiration times. Use the exp claim. Short-lived access tokens (15–60 minutes) paired with long-lived refresh tokens are the standard pattern.
Don't store sensitive data in the payload. The payload is Base64URL encoded, not encrypted. Any data in a JWT can be read by anyone who has the token. Use JWTs for IDs and claims — not passwords, PII, or secrets.
Use RS256 for distributed systems. HS256 uses a shared secret — every service that verifies tokens needs the secret. RS256 uses a private key to sign and a public key to verify — services can verify without accessing the signing secret.
Never paste production tokens into online tools. Use client-side tools like DevKit where the token never leaves your browser.

Free JWT Tools (Browser-Based)

JWT Decoder →

Inspect header, payload, expiration, and all claims from any JWT token.

JWT Builder / Generator →

Build and sign JWTs with custom claims using HS256 — entirely in-browser.

Base64 Decode/Encode →

Manually decode the individual parts of a JWT (they're Base64URL encoded).

JSON Formatter →

Format and validate the decoded header or payload JSON.

FAQ

What is a JWT token?

A JWT (JSON Web Token) is a compact, URL-safe token format used to transmit claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature (verification). JWTs are commonly used for authentication and authorization in REST APIs.

How do I decode a JWT token?

To decode a JWT: split the token by the dot (.) separator, Base64URL-decode the first part (header) and second part (payload), and parse each as JSON. The third part is the signature — you need the secret or public key to verify it. You can use DevKit's free JWT decoder to decode any token instantly in your browser.

Is it safe to decode a JWT online?

Only if the tool processes the token locally in your browser. DevKit's JWT decoder is 100% client-side — your token never leaves your device. Avoid pasting JWTs (especially with live credentials) into tools that send data to a server.

What is the difference between a JWT and a session token?

A session token is an opaque reference stored server-side — the server looks it up to find user data. A JWT is self-contained — the data is encoded inside the token itself, so the server can verify it without a database lookup. JWTs are stateless and can be verified by any service that has the secret or public key.

Can I generate a JWT token online?

Yes. DevKit's JWT generator lets you build and sign JWTs with custom claims using HS256 — entirely in your browser. You set the payload claims and the secret, and the tool generates the signed token. No signup, no server.