How to Decode JWT Tokens: A Developer's Guide
Learn how to decode JWT tokens to inspect header, payload, and claims. Includes a free in-browser decoder.
What is a JWT and why decode it?
A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit claims between two parties, most commonly between a client and a server. A JWT consists of three Base64URL-encoded parts separated by dots: the header, the payload, and the signature.
Decoding a JWT is the act of reading the header and payload to understand what claims it carries. This is essential for debugging authentication issues, inspecting tokens in API responses, or simply understanding what data is being sent on your behalf. It is important to know that decoding does not verify the signature β for that, you need the secret or public key from the issuing party.
Common use cases
- Debugging auth flows: Inspecting tokens returned by login APIs
- Auditing claims: Checking the expiration, issuer, audience, and custom fields
- Local development: Reading tokens stored in localStorage or cookies
- Learning: Understanding how authentication works in modern web apps
- Security reviews: Spotting sensitive data accidentally included in tokens
Method 1: Use UtilBoxx's free JWT decoder (Recommended)
Our JWT decoder parses any JWT and displays its header and payload in a readable format, with timestamps converted to human dates. Here is how to use it:
- Go to utilboxx.com/en/tools/crypto/jwt
- Paste your JWT into the input field
- See the header and payload decoded instantly
- Check expiration, issued-at, and other claims
- Copy any section with one click
Why this method works:
- Runs entirely in your browser β token never leaves your device
- Auto-formats JSON for readability
- Highlights expired tokens and upcoming expirations
- Mobile-friendly with large text fields
- 100% free, no signup, no tracking
Method 2: Use jwt.io
The website jwt.io (by Auth0) is a popular JWT playground. Paste a token, and it decodes the header and payload, optionally verifying the signature if you supply the secret. It is widely used and supports many libraries' algorithms.
Method 3: Decode in your language of choice
In Node.js, with the `jsonwebtoken` library:
```javascript const jwt = require('jsonwebtoken'); const decoded = jwt.decode('eyJhbGciOi...', { complete: true }); console.log(decoded.header); console.log(decoded.payload); ```
In Python, with the `PyJWT` library:
```python import jwt payload = jwt.decode("eyJhbGciOi...", options={"verify_signature": False}) print(payload) ```
The `verify_signature: False` option is critical β it tells the library to decode without checking the signature, which is what you want for inspection.
Frequently asked questions
Is it safe to decode a JWT online?
Decoding is safe because the contents are not secret. They are only Base64URL-encoded, not encrypted. However, never paste production tokens into untrusted services if they might contain sensitive data. The UtilBoxx decoder runs locally in your browser, so the token never leaves your device.
Can a decoded JWT be trusted?
No. Decoding shows the claims but does not verify the signature. A token can be decoded but not authentic. Always verify the signature using the issuer's secret or public key before trusting any claim.
What is the difference between decoding and verifying?
Decoding reads the contents. Verifying uses a cryptographic key to confirm the token was issued by a trusted party and was not tampered with. For local inspection, decoding is enough. For security decisions, verification is required.
What claims are commonly included in a JWT?
Standard claims include `iss` (issuer), `sub` (subject), `aud` (audience), `exp` (expiration), `iat` (issued at), and `nbf` (not before). Custom claims vary by application, such as `role`, `email`, or `user_id`.
Conclusion
Decoding JWTs is a routine task for developers. For a fast, private, in-browser experience, the UtilBoxx JWT decoder is the easiest tool to keep in your bookmarks.