What Is a JWT Token? A Plain-English Explanation
A JSON Web Token (JWT, pronounced "jot") is a compact, self-contained string that securely
carries information between two parties. You see them constantly in modern web development — they are the
tokens returned when you log in, the bearer tokens attached to every API request, and the access tokens
your OAuth provider hands you after authorization.
A JWT is made of three Base64url-encoded sections joined by dots. There is no encryption by default —
the data is encoded, not hidden. That is why a JWT decoder can read the contents instantly,
without any secret key.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
Payload
Signature
The Three Parts of a JWT
1. Header — Describes the token type and the signing algorithm used.
After decoding, it looks like {"alg":"HS256","typ":"JWT"}. The algorithm could be
symmetric (HS256, HS512) or asymmetric (RS256, ES256, PS256).
2. Payload — The meat of the token. Contains claims: key-value pairs
that assert facts about the user or session. Standard claims include sub (user ID),
exp (expiry timestamp), iat (issued-at), iss (issuer),
and aud (audience). Your app can add any custom claims it needs.
3. Signature — A cryptographic hash of the header and payload, created with
a secret key or private key. It guarantees the token has not been tampered with. You cannot verify
the signature client-side without the key — but you can always read the header and payload.
Quick Fact
Every JWT starts with eyJ — that is Base64url for the opening {" of the JSON header object. If your token starts with anything else, it is likely not a standard JWT.
How to Decode a JWT Token Online — Step by Step
-
1
Get your JWT token
Find it in your API response, browser DevTools (Application → Local Storage or Cookies),
Authorization header, or your auth provider's dashboard. It is three Base64url strings separated by dots.
-
2
Paste it into the input panel
Copy the entire token — including all three parts and both dots — and paste it into
the input area at the top of this page. If it is a bearer token, paste everything after Bearer .
-
3
Click Decode
Press the Decode button (or hit Ctrl+Enter). The JWT parser immediately splits
the token and displays the header and payload as colour-coded JSON.
-
4
Read your claims
Inspect the decoded output. Unix timestamps like exp and iat
are automatically converted to human-readable dates. Check the algorithm, user ID, roles,
permissions, and any custom claims your application sets.
Standard JWT Claims Explained
When you decode a JWT token, the payload contains claims. Here are the registered claims
defined by RFC 7519
that you will encounter most often:
| Claim |
Full Name |
Description |
Example Value |
| sub |
Subject |
Unique identifier for the user or entity the token represents |
"1234567890" |
| iss |
Issuer |
Who created and signed the token (e.g. your auth server domain) |
"https://auth.example.com" |
| aud |
Audience |
Intended recipient — the API or service that should accept the token |
"api.example.com" |
| exp |
Expiration Time |
Unix timestamp after which the token must not be accepted |
1893456000 |
| iat |
Issued At |
Unix timestamp when the token was created |
1516239022 |
| nbf |
Not Before |
Token must not be accepted before this timestamp |
1516239022 |
| jti |
JWT ID |
Unique identifier for the token, used to prevent replay attacks |
"abc123-xyz" |
JWT Decode vs JWT Decrypt — What Is the Difference?
This is the question developers ask most often, and the confusion is completely understandable.
The words decode and decrypt sound interchangeable, but they describe fundamentally
different operations when it comes to JWT tokens.
Decoding reverses Base64url encoding. Because standard JWTs are only encoded —
not encrypted — anyone who holds the token string can decode and read the payload. The signing
signature on a JWT proves the token has not been tampered with, but it does not hide the payload
from view.
Decryption applies to JWE (JSON Web Encryption) tokens. In a JWE, the payload
is genuinely encrypted using a key, and it cannot be read without that key. JWEs are much less common
than standard signed JWTs and require a different tool and the corresponding decryption key.
| Property | JWT (JWS — Signed) | JWE (Encrypted) |
|---|
| Payload visible? | Yes — Base64url only | No — encrypted |
| Key required to read? | No | Yes |
| Tamper-proof? | Yes (signature) | Yes (AEAD) |
| Common in auth flows? | Very common | Rare |
| This tool supports it? | ✓ Yes | ✗ No |
Important
Because the JWT payload is only encoded — not encrypted — never store sensitive data like passwords,
credit card numbers, or private keys inside a JWT claim. Treat the payload as public information.
How to Decode a JWT in Code — Language Examples
Our online JWT parser is the quickest way to inspect a token, but sometimes you need to decode
a JWT programmatically inside your application. Here are concise examples for the most popular languages.
JavaScript — No Library
function decodeJWT(token) {
const [,payload] = token.split('.');
const b64 = payload
.replace(/-/g, '+')
.replace(/_/g, '/');
return JSON.parse(atob(b64));
}
JavaScript — jwt-decode npm
// npm install jwt-decode
import { jwtDecode } from 'jwt-decode';
const decoded = jwtDecode(token);
console.log(decoded.sub);
console.log(decoded.exp);
Python — PyJWT
# pip install PyJWT
import jwt
decoded = jwt.decode(
token,
options={
"verify_signature": False
}
)
print(decoded["sub"])
PHP
// composer require firebase/php-jwt
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
$decoded = JWT::decode(
$token,
new Key($secret, 'HS256')
);
React Hook
import { jwtDecode } from 'jwt-decode';
import { useMemo } from 'react';
function useJWT(token) {
return useMemo(() =>
token ? jwtDecode(token) : null,
[token]
);
}
Python — Manual (No Library)
import base64, json
def decode_jwt(token):
part = token.split(".")[1]
pad = part + "=" * (-len(part) % 4)
return json.loads(
base64.urlsafe_b64decode(pad)
)
Tip
For production applications, always use a well-maintained library (PyJWT, jsonwebtoken, php-jwt)
rather than manual Base64 decoding. Libraries handle edge cases, padding issues, and also give you
signature verification — which manual decoding does not.
Supported JWT Algorithms
This JWT decoder works with tokens signed by any algorithm. Here is a quick reference for what
you will see in the alg field of the decoded header:
| Algorithm | Type | Key Type | Common Use Case |
|---|
HS256 | HMAC + SHA-256 | Shared secret | Single-server apps, microservices with shared secret |
HS384 / HS512 | HMAC + SHA-384/512 | Shared secret | Higher-security symmetric signing |
RS256 | RSA + SHA-256 | RSA key pair | Auth0, AWS Cognito, enterprise SSO |
RS384 / RS512 | RSA + SHA-384/512 | RSA key pair | High-assurance enterprise systems |
ES256 | ECDSA + SHA-256 | EC key pair | Mobile apps, IoT — smaller token size |
PS256 | RSASSA-PSS + SHA-256 | RSA key pair | FAPI, open banking compliance |
none | Unsigned | None | Testing only — never in production |
Is It Safe to Decode a JWT Online?
Security-conscious developers rightly ask this question before pasting anything into a third-party
tool. Here is an honest answer.
This tool is 100% client-side. The JavaScript that decodes your token runs
entirely inside your browser. No token data is transmitted to any server, stored in a database,
or logged anywhere. You can verify this by opening your browser's Network tab — you will see zero
outbound requests when you click Decode.
That said, a few good practices apply regardless of which tool you use:
Use test tokens for inspection. If you are debugging in a shared environment
(pair programming, screen share, public computer), use a test token rather than a production
access token containing real user data.
Remember payloads are not secret. JWT payloads are only Base64url-encoded.
Anyone who has the token string can read the claims. If your payload contains information you
need to keep confidential, you need JWE (JSON Web Encryption), not a standard signed JWT.
Rotate compromised tokens immediately. If you accidentally expose a production
JWT — in a log file, a GitHub commit, or a public paste — revoke it immediately from your
auth provider and issue new tokens to affected users.
Best Practice
Never paste long-lived tokens (refresh tokens, API keys, personal access tokens) into any
online tool. Decode only short-lived access tokens, and prefer using test credentials during development.
Frequently Asked Questions
What is the difference between a JWT decoder and jwt.io?
›
jwt.io is the official reference tool from Auth0. Our JWT decoder does the same
core job — decode the header, payload, and signature — but with a VS-Code-style dark interface,
instant expiry parsing, and an entirely client-side implementation. Both are reliable choices
for inspecting tokens during development.
Can I decode a refresh token?
›
It depends on the auth provider. Some providers issue refresh tokens as
opaque random strings (not JWTs), which cannot be decoded because they have no internal structure.
Others, like Keycloak or certain Firebase configurations, issue refresh tokens as JWTs. If yours
starts with eyJ, paste it in and it will decode. If it is a random string, it is opaque and
not decodable by design.
How do I decode a JWT in Flutter or Dart?
›
Use the dart_jsonwebtoken package from pub.dev.
Call JWT.decode(token) to read the payload without signature verification.
For full verification with a secret or public key, use JWT.verify(token, key).
Alternatively, manually split by '.' and base64-decode the second segment using
base64Url.decode() from Dart's convert library.
What does "decode JWT token online" actually do?
›
It splits the token by the dot separator, takes the first two parts
(header and payload), applies Base64url decoding to each one, and then JSON.parses the
resulting byte strings into readable objects. The third part (signature) is displayed
as-is because it is a cryptographic hash, not JSON. The whole process takes under a millisecond
and runs entirely in your browser.
Why does my token fail to decode?
›
The most common reasons are: (1) the token is an opaque token, not a JWT —
it will not have the three-part dot structure; (2) you copied only part of the token — make sure
you include all three segments; (3) there are trailing spaces or newline characters — the decoder
trims input automatically but some environments wrap tokens in quotes; (4) it is a JWE encrypted
token — the payload will be ciphertext, not JSON. Check the raw token starts with eyJ.
How do I decode a JWT access token from OAuth2 / OpenID Connect?
›
OAuth2 access tokens from providers like Google, Microsoft, Okta, and Auth0
are standard JWTs. Copy the access_token value from the token response and paste it
here. The decoded payload will typically include iss (issuer URL), sub
(user ID), aud (client ID), exp, and provider-specific claims like
email, roles, or scopes.
This free online JWT decoder is built for developers who need to quickly inspect tokens during
development and debugging. It supports all standard JWT algorithms and processes everything
locally in your browser. No account required, no usage limits, no data collection.
