Back to blog
Authentication6 min read

How to Decode a JWT Token

A practical guide to decoding JSON Web Tokens, reading JWT claims, and understanding what signature verification does.

Use the related XKit tool

Open JWT Decoder

A JSON Web Token is a compact string used to pass claims between systems. Developers often decode JWTs while debugging login flows, API requests, refresh token behavior, and authorization errors.

The three parts of a JWT

A JWT contains a header, payload, and signature separated by dots. The header describes the token type and signing algorithm. The payload contains claims such as subject, issuer, audience, issued-at time, and expiration time. The signature helps a server detect tampering.

Decoding reads the Base64Url-encoded header and payload. It does not prove the token is trusted. Verification checks the signature against the expected secret or public key.

  • Header: algorithm and token type.
  • Payload: registered and custom claims.
  • Signature: proof that the token matches the signing key.

Important claims to inspect

The exp claim tells you when a token expires. The iat claim records when it was issued. The iss claim identifies the issuer, and aud identifies the intended audience. The sub claim usually identifies the user, account, or service principal.

A token can decode correctly and still be invalid. Always verify the signature and validate issuer, audience, expiration, and any application-specific rules on the server.

Safe JWT debugging

JWT payloads are encoded, not encrypted. Anyone with the token can read the decoded claims. Avoid placing secrets, passwords, payment data, or private profile fields inside JWT payloads.

When debugging production tokens, prefer local browser-based tools and avoid pasting sensitive tokens into systems you do not control.

Frequently Asked Questions

Can anyone decode a JWT?

Yes. JWT headers and payloads are Base64Url encoded, not encrypted. The signature prevents unnoticed changes, but it does not hide the payload.

What is the difference between decoding and verifying a JWT?

Decoding reveals the token contents. Verification checks whether the signature matches the expected key and whether the token should be trusted.

Should I put sensitive data in a JWT?

No. Unless the token is encrypted with JWE, assume anyone who receives it can read the payload.