DevKitFlow
Tutorial

How to Decode JWT

Learn how to decode JSON Web Tokens, understand their structure, and verify token signatures.

June 202611 min read

1. What is Decode JWT

Decoding a JWT (JSON Web Token) means converting the Base64URL-encoded parts of the token back into human-readable JSON format. A JWT has three parts: header, payload, and signature. The header and payload are Base64URL encoded JSON objects that can be easily decoded. The signature is used to verify that the token has not been tampered with. Decoding is not the same as verifying - decoding just reads the data, while verifying checks the signature to ensure authenticity. It is important to note that anyone can decode a JWT; the signature is what provides security through verification.

2. Why It Matters

Being able to decode JWT tokens is essential for debugging authentication issues, understanding what data is in tokens, and verifying that tokens contain the correct claims. During development, you often need to inspect tokens to check expiration times, user roles, and other claims. JWT decoders make this quick and easy. Remember that decoding alone does not validate the token - always verify signatures in production code.

3. Example

Decoding a JWT
JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header (decoded):
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (decoded):
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

The JWT is split by dots into three parts. The first two parts are Base64URL decoded to reveal the header and payload as JSON objects.

4. Common Mistakes

1. Confusing decoding with verification

Decoding just reads the token data. Verification checks the signature to ensure the token is authentic and has not been tampered with.

2. Storing secrets in tokens

Never store passwords, API keys, or other secrets in JWT payloads. They can be decoded by anyone.

3. Not verifying signatures

Always verify JWT signatures in production. Decoding alone does not prove the token is valid.

4. Ignoring expiration

Always check the exp (expiration) claim. Expired tokens should be rejected.

5. Related Tools

JWT Decoder

Decode and verify JWT tokens.

Try it now

Base64 Encoder

Encode text to Base64 format and decode Base64 back to text.

Try it now

SHA256 Generator

Generate SHA-256 hashes online.

Try it now

FAQ

Try Our Free Developer Tools

Put your knowledge into practice with our free online developer tools. All tools work directly in your browser with no installation required.

Explore All ToolsTry JWT Decoder
How to Decode JWT | DevKitFlow