How to Decode JWT Tokens Online — Header, Payload and Signature

Learn how JWT tokens work, how to decode their header and payload, and why signature verification requires a key.

JWT tokens are commonly used in authentication systems, APIs and web apps. A JWT has three parts separated by dots: header, payload and signature. The header and payload are Base64URL-encoded JSON, which means they can be decoded and inspected.

Utilao's JWT Decoder helps you view the token header and payload in a readable format.

What is inside a JWT?

The header usually describes the token type and signing algorithm. The payload contains claims such as user ID, issuer, audience, expiration time and permissions. The signature helps verify that the token was not changed.

Decoding a JWT lets you read the header and payload. It does not prove the token is trusted.

Decoding vs verifying a JWT

Decoding only converts the encoded parts into readable JSON. Verification checks the signature using a secret or public key. Without the correct key, you can inspect the token but you cannot fully validate that it is authentic.

This distinction matters for security. A decoded token can be useful for debugging, but apps must verify tokens server-side before trusting them.

How to decode a JWT online

  1. Open the JWT Decoder.
  2. Paste the token.
  3. Review the decoded header.
  4. Review the decoded payload.
  5. Check claims like exp, iat, iss, aud and sub.

Avoid pasting sensitive production tokens into unknown tools. Use local or trusted tools when the payload contains private information.

FAQ

Can anyone decode a JWT?

Yes. The header and payload are encoded, not encrypted. Anyone with the token can decode those parts.

Does decoding verify the JWT?

No. Verification requires the signing secret or public key.

What does exp mean in a JWT?

The exp claim is the expiration timestamp. It tells when the token should no longer be accepted.