How to Decode JWT Tokens - Understanding JSON Web Tokens

JSON Web Tokens (JWTs) are the standard for authentication in modern web applications. Understanding how to read them is essential for debugging auth issues.

JWT Structure

A JWT has three parts separated by dots: header.payload.signature. Each part is Base64url-encoded JSON.

• Header - specifies the algorithm (e.g., HS256, RS256) and token type
• Payload - contains the claims (user data, expiration, issuer)
• Signature - verifies the token hasn't been tampered with

Common Claims

sub (subject - usually user ID), exp (expiration timestamp), iat (issued at), iss (issuer), aud (audience). Custom claims can contain any JSON data.

Important: JWTs Are Not Encrypted

Anyone can decode a JWT - the payload is just Base64-encoded, not encrypted. Never put sensitive data (passwords, credit card numbers) in a JWT. The signature only prevents tampering, not reading.

Decode with Toolium

The JWT Decoder instantly decodes any JWT token, showing the header and payload as formatted JSON. It checks the expiration claim and tells you whether the token is still valid or expired.