How to Decode JWT Tokens

March 22, 2026 · 5 min read

JSON Web Tokens (JWTs) are everywhere in modern web development. If you've ever worked with authentication APIs, OAuth, or single sign-on, you've dealt with JWTs. But what's actually inside one? And how do you decode it?

In this guide, you'll learn what JWTs are, how they're structured, and how to decode them — both manually and with a free online JWT decoder.

What Is a JWT?

A JWT (pronounced "jot") is a compact, URL-safe token used to transmit claims between two parties. It's defined in RFC 7519 and commonly used for:

Authentication — After a user logs in, the server issues a JWT that the client includes in subsequent requests.
Authorization — The token carries the user's permissions and roles.
Information exchange — JWTs can securely transmit data between services.

JWT Structure: The Three Parts

Every JWT consists of three Base64URL-encoded parts separated by dots:

header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

The header typically contains the signing algorithm and token type:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains the claims — statements about the user and additional metadata:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Common standard claims include:

sub — Subject (usually the user ID)
iat — Issued At (Unix timestamp)
exp — Expiration Time
iss — Issuer
aud — Audience

3. Signature

The signature verifies the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Important: Decoding a JWT does not verify it. Anyone can decode a JWT — the signature verification is what proves it's authentic. Never trust a JWT's claims without verifying the signature on your server.

How to Decode a JWT

Method 1: Use an Online Decoder

The quickest way is to paste your token into a JWT decoder tool. It will instantly show you the header, payload, and expiration status.

Decode a JWT right now

Paste any JWT to see its header, payload, and expiration status.

Open JWT Decoder

Method 2: Command Line

You can decode a JWT with Base64 decoding. Split the token on the dots and decode each part:

# Decode the payload (second part)
echo "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ" | base64 -d

# Output: {"sub":"1234567890","name":"John Doe","iat":1516239022}

Note: You may need to add padding (=) to the Base64 string for some decoders. The UtilShed JWT decoder handles this automatically.

Method 3: In JavaScript

function decodeJWT(token) {
  const parts = token.split('.');
  const header = JSON.parse(atob(parts[0]));
  const payload = JSON.parse(atob(parts[1]));
  return { header, payload };
}

const decoded = decodeJWT('eyJhbGciOiJIUzI1...');
console.log(decoded.payload.sub); // "1234567890"

Method 4: In Python

import base64, json

def decode_jwt(token):
    parts = token.split('.')
    # Add padding
    payload = parts[1] + '=' * (4 - len(parts[1]) % 4)
    return json.loads(base64.urlsafe_b64decode(payload))

claims = decode_jwt('eyJhbGciOiJIUzI1...')
print(claims['sub'])  # "1234567890"

Common JWT Pitfalls

Don't store secrets in JWTs — the payload is only encoded, not encrypted. Anyone can decode it.
Always check expiration — look at the exp claim before trusting a token.
Verify the signature server-side — decoding is not the same as verifying.
Don't store JWTs in localStorage — use httpOnly cookies to prevent XSS attacks.

When to Use JWTs

JWTs are great for stateless authentication — the server doesn't need to store session data. They work well for:

API authentication (REST, GraphQL)
Single sign-on (SSO) across services
Short-lived authorization tokens

They're less ideal for long-lived sessions or when you need server-side session revocation.

Try It Now

Ready to decode a JWT? Use the free JWT decoder on UtilShed — paste any token to instantly see its contents, expiration status, and claims.

You might also find these tools useful:

Base64 Encoder/Decoder — since JWTs use Base64URL encoding
JSON Formatter — to pretty-print the decoded payload
Timestamp Converter — to convert iat and exp Unix timestamps to human-readable dates