What is a JWT? How to Decode and Inspect JSON Web Tokens
JWTs are used in almost every modern web application for authentication and authorization. If you have ever logged into an app and noticed a long string of characters in a cookie or Authorization header, chances are it was a JWT. This guide explains what a JWT is, what each part means, and how to decode one without writing a single line of code.
Try the free JWT Decoder
Paste any token and instantly see its header, payload, and expiry.
What is a JWT?
JWT stands for JSON Web Token. It is an open standard (RFC 7519) for securely transmitting information between parties as a compact, self-contained JSON object. JWTs are digitally signed, which means the receiving party can verify that the content has not been tampered with.
In practice, JWTs are most commonly used for authentication: after you log in, the server issues a JWT. Your browser sends this token with every subsequent request, and the server verifies it to confirm your identity — without needing to look up a session in a database.
What Does a JWT Look Like?
A JWT is a long string of characters separated by two dots, giving it three distinct parts:
The Three Parts of a JWT
1. Header
The header is a Base64-encoded JSON object that describes the token. It typically contains two fields: the token type (always JWT) and the signing algorithm used.
Common algorithms include HS256 (HMAC with SHA-256) and RS256 (RSA with SHA-256).
2. Payload
The payload contains the actual data — called claims. Claims are statements about the user and any additional metadata the server wants to include.
3. Signature
The signature is created by taking the encoded header and payload, joining them with a dot, and signing them with the secret key using the specified algorithm. This ensures the token has not been modified after it was issued.
Importantly, the signature does not encrypt the payload — it only verifies integrity. Anyone can read the payload of a JWT. Never store sensitive data like passwords in a JWT.
Standard JWT Claims
| Claim | Name | Meaning |
|---|---|---|
| sub | Subject | The user the token refers to (usually a user ID) |
| iss | Issuer | Who issued the token (e.g. your auth server) |
| aud | Audience | Who the token is intended for |
| exp | Expiry | Unix timestamp when the token expires |
| iat | Issued At | Unix timestamp when the token was created |
| nbf | Not Before | Token must not be accepted before this time |
How Token Expiry Works
The exp claim contains a Unix timestamp. Once the current time passes this value, the token is considered expired and the server should reject it. Typical access tokens expire in 15 minutes to 1 hour. Refresh tokens can last days or weeks.
When debugging an authentication issue, the expiry is one of the first things to check. Our JWT Decoder shows you the expiry in a human-readable format so you can see at a glance whether a token is still valid.
JWT vs Session Tokens
Traditional session-based authentication stores session data on the server and gives the client a session ID. With JWTs, all the data is in the token itself — the server does not need to store anything. This makes JWTs ideal for stateless APIs and microservices, but it also means you cannot invalidate a JWT before it expires (unless you maintain a blocklist, which defeats some of the purpose).
Common Security Mistakes with JWTs
- Storing JWTs in localStorage — vulnerable to XSS attacks. Prefer httpOnly cookies.
- Not verifying the signature — always verify the token server-side before trusting its claims.
- Using the "none" algorithm — some libraries accept unsigned tokens if the algorithm is set to "none". Always explicitly specify and validate the expected algorithm.
- Storing sensitive data in the payload — the payload is only Base64-encoded, not encrypted. Anyone with the token can read it.
- Setting expiry too long — a stolen token is valid until it expires. Keep access token lifetimes short.
How to Decode a JWT
You can decode any JWT instantly without a library or any code:
- Copy the JWT from your browser DevTools, Postman, or your codebase
- Paste it into the JWT Decoder
- Instantly see the decoded header, payload, and a human-readable expiry time
- Use it to debug authentication issues, inspect user roles, or verify token contents
Decode your JWT now
Free, instant, no signup needed.