How to Format and Validate JSON Online — Common Errors and Fixes
Learn how to format and validate JSON online, fix common syntax errors, and choose between beautified and minified JSON.
Learn how JWT tokens work, how to decode their header and payload, and why signature verification requires a key.
JWT tokens are commonly used in authentication systems, APIs and web apps. A JWT has three parts separated by dots: header, payload and signature. The header and payload are Base64URL-encoded JSON, which means they can be decoded and inspected.
Utilao's JWT Decoder helps you view the token header and payload in a readable format.
The header usually describes the token type and signing algorithm. The payload contains claims such as user ID, issuer, audience, expiration time and permissions. The signature helps verify that the token was not changed.
Decoding a JWT lets you read the header and payload. It does not prove the token is trusted.
Decoding only converts the encoded parts into readable JSON. Verification checks the signature using a secret or public key. Without the correct key, you can inspect the token but you cannot fully validate that it is authentic.
This distinction matters for security. A decoded token can be useful for debugging, but apps must verify tokens server-side before trusting them.
Avoid pasting sensitive production tokens into unknown tools. Use local or trusted tools when the payload contains private information.
Yes. The header and payload are encoded, not encrypted. Anyone with the token can decode those parts.
No. Verification requires the signing secret or public key.
The exp claim is the expiration timestamp. It tells when the token should no longer be accepted.