ToolPatch

One page. One job. Done.

← Back to all tools
Developer Tools

JWT Decoder

Decode JWT header and payload claims for debugging.

Formula reviewed: 2026-02-14 Developer Tools

JWT Decoder parses JSON Web Tokens into their header and payload so claims can be inspected without writing helper code. A JWT usually has three Base64URL-encoded parts: the header describes the token type and signing algorithm, the payload contains claims such as issuer (`iss`), audience (`aud`), subject (`sub`), and expiration (`exp`), and the signature allows a verifier to detect tampering. Decoding reveals the text inside the token, but it does not prove that the token is trustworthy. Signature verification requires the correct secret or public key and the expected algorithm, issuer, audience, and time rules. Use this tool for debugging and QA, not as an authentication decision engine.

Permalink

Input Pattern

Enter values in the left panel, keep units explicit, run the calculation, then copy or share the result. Invalid fields are highlighted immediately.

How to use this tool

  1. Paste the full JWT string (three dot-separated segments) into the input field.
  2. Run the decoder and inspect header and payload claims in the output.
  3. Verify expected issuer, audience, and expiration values against your auth configuration.

JWT Input

Decodes header and payload only. Signature is not verified.

Decoded Output

Signature length: 43

Signature preview: SflKxwRJSMeKKF2QT4fwpMeJ...

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "ToolPatch",
  "iat": 1700000000,
  "exp": 1900000000
}

Registered Claims

Claim Value Interpreted
sub 1234567890 -
iat 1700000000 2023-11-14T22:13:20Z
exp 1900000000 2030-03-17T17:46:40Z

JSON Web Tokens Explained

A Compact Claims Format

A JSON Web Token, or JWT, is a compact way to carry claims between systems. It is commonly used in authentication and authorization flows, but the format itself is simply a structured token. A typical JWT has three Base64URL-encoded parts separated by dots: a header, a payload, and a signature.

The header describes the token type and signing algorithm. The payload contains claims such as subject, issuer, audience, expiration time, roles, or application-specific data. The signature is used to detect tampering when the verifier has the correct secret or public key. The token is portable because it can travel in HTTP headers, cookies, or other text-based channels.

Decoding Is Not Verification

JWT headers and payloads are encoded, not encrypted, unless a separate encrypted token format is used. Anyone who has the token can decode those sections and read the claims. That is why sensitive secrets do not belong in ordinary JWT payloads.

Verification is a different step. A system must check the signature, algorithm, issuer, audience, expiration, not-before time, and any application-specific constraints before trusting the token. A decoded token can be useful for debugging, but it should never be treated as valid merely because it parses cleanly. Security comes from verification and policy checks, not from the visual structure of the token.

Claims and Lifetimes

Registered claims provide common vocabulary. The iss claim names the issuer, sub identifies the subject, aud names the intended audience, exp gives expiration, and nbf can prevent use before a certain time. Private claims add application-specific meaning, such as tenant identifiers or permission scopes.

Token lifetime is a major design choice. Short-lived tokens reduce risk if stolen, but they require refresh flows or more frequent reauthentication. Long-lived tokens improve convenience but increase exposure. Many systems pair short-lived access tokens with carefully controlled refresh tokens, plus revocation strategies for account changes and incident response.

Operational Risks

JWT problems often come from key handling, algorithm confusion, clock skew, oversized payloads, or inconsistent validation across services. A service that checks expiration but ignores audience may accept a token meant for another system. A service that trusts a user-controlled algorithm field can be vulnerable if libraries are misused.

Good JWT practice is boring in the best way: keep payloads minimal, use well-supported algorithms, rotate keys deliberately, validate every relevant claim, and log enough metadata to debug failures without exposing full tokens. The format is convenient, but convenience does not replace careful trust boundaries.

Formula or method

Worked example

Inspecting an API access token in QA

Result: The decoded header and payload reveal claims such as issuer, audience, subject, scopes, and expiration.

Use the decoded claims to debug configuration, then verify the token with the correct key and validation rules in the target service.

How to interpret the result

Decoded JWT contents are readable diagnostics; they are not evidence that a request should be trusted.

Common mistakes

Review note and limitations

Method - Base64URL decoding and JSON parsing of JWT header and payload.

Developer debugging aid only. Do not use decoded output as an authentication or authorization decision.

FAQ

Does decoding verify a JWT?

No. Decoding only reveals header and payload text. Verification requires the correct key and validation rules.

Is JWT payload encrypted?

Ordinary JWT payloads are encoded, not encrypted. Do not put secrets in them unless using an appropriate encrypted token format.

Explore more versions

Tailored guides for specific audiences, regions, and scenarios.

Related tools and workflows

JWT debugging often pairs with JSON formatters, header checkers, hash tools, and API response formatters.