How to Decode a JWT Token (Without Installing Anything)

JSON Web Tokens (JWTs) are everywhere — from API authentication to OAuth flows. But when you're debugging an auth issue at 2 AM, the last thing you want is to install a library just to peek inside a token.

What's Inside a JWT?

A JWT consists of three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NSJ9.signature

Header — Contains the signing algorithm (alg) and token type (typ). Common algorithms include HS256 (HMAC), RS256 (RSA), and ES256 (ECDSA).

Payload — Contains claims about the user. Standard claims include:

• sub — Subject (user ID)
• iss — Issuer (who created the token)
• exp — Expiration time (Unix timestamp)
• iat — Issued at time
• aud — Audience (intended recipient)

Signature — Created by signing the header and payload with a secret key. This prevents tampering.

Decode a JWT Instantly

Use our free JWT decoder to paste any token and instantly see the decoded header, payload, and all claims. It runs 100% client-side — your token never leaves your browser.

The decoder also automatically checks the exp claim and tells you if the token is still valid or has expired, with human-readable timestamps.

Common JWT Debugging Scenarios

1. "Why am I getting 401 Unauthorized?"

The most common cause is an expired token. Decode it and check the exp claim. If it's in the past, you need to refresh the token.

2. "Is my token actually carrying the right claims?"

Sometimes the auth server doesn't include the claims you expect. Decode the token to verify role, scope, or custom claims are present.

3. "Which algorithm should I use?"

For most applications, RS256 (RSA with SHA-256) is recommended. It uses asymmetric keys, so the private key stays on the auth server and public keys can be distributed for verification. HS256 is simpler but requires sharing the secret key with every service that needs to verify tokens.

JWT Security Best Practices

• Never store sensitive data in JWTs — They're encoded, not encrypted. Anyone can decode the payload.
• Always validate the signature — Don't just decode; verify the signature server-side.
• Set short expiration times — Use refresh tokens for long-lived sessions.
• Use HTTPS — JWTs in transit should always be encrypted via TLS.
• Validate the iss and aud claims — Prevent tokens from one service being accepted by another.

Decode JWTs Programmatically

If you need to decode JWTs in code (without verification), it's just Base64 decoding:

// JavaScript
const [header, payload] = token.split('.').slice(0, 2)
  .map(part => JSON.parse(atob(part.replace(/-/g,'+').replace(/_/g,'/'))));
console.log(payload);

# Python
import base64, json
parts = token.split('.')
payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
print(payload)

More Developer Tools

If you found this useful, check out our other free developer tools:

• JWT Decoder — Decode tokens instantly
• Cron Expression Generator — Build crontab schedules visually
• JSON Formatter — Format, validate, and inspect JSON
• Screenshot API — Capture any website programmatically
• QR Code API — Generate QR codes via API