How to Decode a JWT Token Online — No Library Needed
If you've worked on any modern web application, chances are you've encountered JSON Web Tokens (JWT). They've become the gold standard for secure authentication and information exchange between parties. But, to the uninitiated, a JWT looks like a cryptic string of random characters:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
How do you make sense of this? How do you verify the information inside it? In this article, we’ll show you how to decode a JWT online and break down exactly how these tokens work.
What is a JWT?
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
The 3-Part Structure of a JWT
A JWT consists of three parts separated by dots (.):
- Header
- Payload
- Signature
Let's break them down:
1. The Header
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
{
"alg": "HS256",
"typ": "JWT"
}
2. The Payload
The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
- Registered claims: These are a set of predefined claims which are not mandatory but recommended, such as
iss(issuer),exp(expiration time),sub(subject), andaud(audience). - Public claims: These can be defined at will by those using JWTs.
- Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered nor public claims.
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
3. The Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
For example, if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
How to Decode JWT Online
One of the best things about JWTs is that they are "base64Url" encoded, meaning you can decode a JWT online without needing the secret key. The secret key is only required to verify the signature and ensure the token hasn't been tampered with.
To inspect your token:
- Copy your JWT string.
- Paste it into a JWT Decoder.
- Analyze: The decoder will instantly show you the Header and Payload in human-readable JSON format.
Security Warning: Important Safety Tips
When using a JWT token inspector or any online tool, keep these security points in mind:
- Never paste production secrets: A JWT contains sensitive information about your users. While our tool runs locally in your browser and never sends data to a server, it is a best practice to avoid using real production tokens on external websites.
- Use Test Tokens: Use tokens from your development or staging environments when testing or debugging.
- Check the
expclaim: Always look at the expiration time. If a token is expired, it will be rejected by your server.
Why Use an Online JWT Decoder?
A dedicated JWT decoder is essential for debugging:
- Instant Visibility: No need to write a script or use a library to see what's inside a token.
- No Dependencies: It works anywhere, whether you're on a Mac, Windows, or Linux machine.
- Verification: Many tools also allow you to paste your secret key to verify if the signature is valid.
Conclusion
Understanding how to decode JWTs is a fundamental skill for modern developers. By breaking down the token into its three core components, you can quickly debug authentication issues and ensure your application's security is on point.
Try it free at ToolsForCode → JWT Decoder