JSON Web Token (JWT) Decoder: Inspect JWT Content and Claims

March 12, 2026 · 5 min read

Understanding JSON Web Tokens

JSON Web Tokens (JWTs) are compact, self-contained tokens that are used to securely transmit information between parties. They’re often used for authentication and information exchange in web apps. Instead of relying on traditional session-based authentication—where data is stored on the server—JWTs include the data right in the token itself. This means that with JWTs, you don’t have to keep user session information on the server, making them ideal for stateless operations. For example, a service like a weather application might use JWTs to manage user preferences without requiring a session database.

A typical JWT contains three parts: Header, Payload, and Signature—each separated by a period. These are Base64 encoded JSON objects. Let's break them down:

Header: Consists of two parts: the token type (JWT) and the signing algorithm (e.g., HMAC SHA256). This part defines how the token is structured and secured.
Payload: This is where the action happens. The payload holds the claims, which are statements about the user or other data. Think of claims as a way of saying, "This token belongs to user 123," or "This token expires in 24 hours."
Signature: Used to verify the token's integrity. The signature is created using the header, payload, and a secret key known only to the issuer. If any part of the token is changed without proper authorization, the signature won't match.

A typical JWT might look something like this:

🛠️ Try it yourself

JWT Decoder - Decode & Verify JSON Web Tokens →


eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
.PV4XdgYYp5XIbvHlPQZmCkD2ZLQMIlgoVsVsLCY5iU8

Why Use a JSON Web Token Decoder?

A JWT decoder allows you to inspect the contents and claims stored within the token. This is particularly handy when you need to debug a token or conduct a security audit. Say, for instance, a friend sends you a JWT from their web app and you’re curious about the claims inside. Using a Json Web Token decoder online, you can quickly peer into the payload and verify the claims.

Decoding is also useful when you suspect that the token might be tampered with. By checking the integrity of the claims and whether the signature matches, you’re able to detect if anything was altered without consent.

Step-by-Step Decoding Process

Decoding a JWT manually can be done in a few simple steps. Here’s how:

Grab the JWT and split it into three segments using the period character (.) as a separator.
Decode the Header and Payload sections using Base64 decoding.

For example, using a Base64 Encoder you could do the following:


// Decode the Header
const header = atob('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'); 

// Decode the Payload
const payload = atob('eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ');

Validating the Token’s Signature

Validating a JWT's signature requires a bit more elbow grease, as it involves cryptographic operations. The signature is calculated using the algorithm specified in the header and a secret key. This example shows how you might check a token using Node.js:


// Sample verification using Node and crypto library
const crypto = require('crypto');

// Create HMAC using the algorithm from the header
const hmac = crypto.createHmac('sha256', secretKey);
hmac.update(header + '.' + payload);
const calculatedSignature = hmac.digest('base64');

// Comparison of calculated and received signatures
if (calculatedSignature === receivedSignature) {
  console.log('Signature verified');
} else {
  console.log('Invalid signature');
}

In this example, make sure to replace secretKey and receivedSignature with the actual values from your application.

Common JWT Issues and Solutions

Here are some common issues with JWTs, followed by solutions:

Expired Token: Check the exp claim to ensure the token hasn't expired. Always compare the expiration with the current time. If the token’s claim says it expired on October 1st and today is October 2nd, you need a new token.
Wrong Claims: It’s vital to validate the claims. For example, if the payload states the user is an admin, but the user really isn't, you’ve likely got a tampered token on your hands.
Signature Mismatch: If the signature isn’t matching up, verify both the header and payload against your secret key. Simply put, keep your keys safe and check them twice.

Frequently Asked Questions

How do I use a JSON Web Token decoder online?

Using an online JSON Web Token decoder is easy. You just paste your JWT into the decoder tool, and it automatically splits the token and decodes each part so you can see the contents of the header and payload in plain text.

Is a JSON Web Token secure?

JWT security comes down to how they're used. For solid security, ensure your token is signed with a strong secret key and that you're verifying the token correctly. Avoid putting sensitive info directly in the payload where it’s easily exposed. Treat your secret keys like passwords—never share them.

What is the difference between JWT and OAuth?

JWT is a format for tokens—basically, how info is sent between systems. OAuth is a protocol used for authorization. So, while OAuth can use JWTs as tokens, they're not inherently the same. Think of OAuth as the method and JWT as one possible message format.

Can JWTs be stored in localStorage or sessionStorage?

Yes, JWTs can be tucked away in either localStorage or sessionStorage. However, don't just store anything, especially sensitive stuff like public keys or passwords. Use secure handling practices to avoid security snafus.

Related Tools

🛠️ Popular Tools

Try these free tools:

Port Scanner Subnet Calculator Cron Parser