ToolBook
Support us on Ko-fi
Help us keep this free, forever

JWT Decoder

Bug

How to decode a JWT token online

Use ToolBook JWT Decoder to parse any JSON Web Token and inspect its header, payload claims, algorithm, and expiry status instantly.

  1. Paste your JWT token

    Paste the full token string (the three dot-separated Base64URL segments) into the input box, or click "Load sample" to use a demo token.

  2. Read the algorithm and status badge

    The metadata bar shows the signing algorithm (e.g. HS256, RS256) and a colour-coded badge: Valid, Expired, Not yet valid, or No expiry.

  3. Inspect the Header

    The Header card shows the alg (signing algorithm), typ (token type), and any other fields such as kid (key ID) from the first JWT segment.

  4. Read the Payload claims

    The Payload card displays all claims: registered ones like sub, iss, aud, exp, iat, nbf, and any custom claims your application added.

  5. Check the expiry time

    If an exp claim is present, the badge shows time remaining (for valid tokens) or the expiry date (for expired tokens) so you can debug authentication issues quickly.

  6. Copy any section

    Use the copy icon in the Header, Payload, or Signature card to copy the decoded content to your clipboard for use in debugging or documentation.

Frequently asked questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit information between parties as a JSON object. It consists of three Base64URL-encoded parts separated by dots: a Header (algorithm and token type), a Payload (claims), and a Signature. The payload is encoded, not encrypted, so anyone with the token can decode it.

Is my JWT safe to paste here?

The token is decoded entirely in your browser; nothing is sent to a server. However, JWTs may contain sensitive user data such as user IDs, roles, and email addresses. As a general rule, avoid pasting production tokens from real users into any online tool. Use a test or development token instead.

What are JWT claims?

Claims are key-value pairs in the payload that make statements about the token subject. Registered claims are standard fields defined in RFC 7519: iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID). Private claims are any custom fields your application adds, such as user roles or permissions.

What does the expiry badge mean?

The badge shows one of four states based on the exp, nbf, and current time. "Valid" means the token is active and not yet expired. "Expired" means the exp timestamp is in the past and most servers will reject the token. "Not yet valid" means the current time is before the nbf (not before) claim. "No expiry" means the token has no exp claim and never expires on its own.

Can this tool verify a JWT signature?

No. Verifying the signature requires the secret key (for HS256/HS384/HS512) or the public key (for RS256/ES256) used when the token was signed. This JWT decoder only decodes the header and payload, which are Base64URL-encoded, not encrypted. Anyone with the raw token string can decode them. The signature segment is shown as-is for reference.

What algorithms do JWTs support?

Common algorithms include HS256 (HMAC-SHA256, symmetric), HS384, HS512, RS256 (RSA-SHA256, asymmetric), RS384, RS512, ES256 (ECDSA-SHA256, asymmetric), ES384, ES512, and PS256 (RSA-PSS). The algorithm is declared in the header alg field. For new projects, RS256 or ES256 is generally preferred over HS256 because they use separate signing and verification keys.

What is the difference between a JWT and a session token?

A traditional session token is an opaque random string that maps to server-side session data. A JWT is self-contained: all the user information lives inside the token itself. This makes JWTs stateless and easy to use across microservices, but it also means a JWT cannot be invalidated server-side without additional infrastructure (a blocklist or short expiry windows).

Why does my JWT say "not yet valid"?

The nbf (not before) claim sets an earliest time before which the token must not be accepted. If the current time is before the nbf timestamp, the status shows "not yet valid." This is useful for issuing tokens that activate at a future point, or for clock-skew tolerance between servers.

Can JWT payload data be encrypted?

Standard JWTs (JWS) sign the payload but do not encrypt it. The payload is only Base64URL-encoded, so anyone who intercepts the token can read the claims. If you need encryption, use JWE (JSON Web Encryption), which wraps an encrypted payload. Never store passwords, credit card numbers, or other secrets in a standard JWT payload.

How do I decode a JWT manually without a tool?

Split the JWT string on the dots to get three segments. Take the second segment (payload) and Base64URL-decode it: replace - with + and _ with /, pad to a multiple of 4 with =, then run through a standard Base64 decoder. The result is the raw JSON payload. The same process works for the first segment (header).

JWTs explained: structure, claims, algorithms, and common mistakes

What every developer touching authentication needs to know about JSON Web Tokens — from HS256 to RS256 to why JWTs are not sessions.

JWT structure in depth

A JSON Web Token has exactly three parts, separated by dots and Base64url-encoded:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9   ← Header
.eyJzdWIiOiIxMjM0NTY3ODkwIn0             ← Payload
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c  ← Signature

Decoding the first two segments gives JSON objects. The third segment is a cryptographic signature computed over the first two.

Important: Base64url encoding is not encryption. Anyone holding the token can decode the header and payload. Never put secrets (passwords, credit card numbers, access keys) in a JWT payload unless the token is additionally encrypted (JWE, not JWS).

Registered claims

RFC 7519 defines these standard claim names:

| Claim | Meaning | Type | |---|---|---| | iss | Issuer — who created the token | String | | sub | Subject — who the token is about | String | | aud | Audience — intended recipient | String or array | | exp | Expiration time | Unix timestamp | | iat | Issued at | Unix timestamp | | nbf | Not before — token valid from | Unix timestamp | | jti | JWT ID — unique token identifier | String |

These are conventionally short to keep token size small. Your application can add arbitrary custom claims alongside them.

Algorithms: symmetric vs asymmetric

HS256 (HMAC-SHA256): a single shared secret is used to both sign and verify. Fast and simple, but both the issuer and verifier must have the same secret. If you share the secret with a third party, that party can also issue tokens — intended for monolithic systems.

RS256 (RSA-SHA256): a private key signs the token; a public key verifies it. The verifier never needs the private key. Ideal for microservices where many services need to verify tokens but only the auth server should issue them.

ES256 (ECDSA-SHA256): like RS256 but uses Elliptic Curve Cryptography. Produces much shorter signatures than RSA and is faster to verify.

alg: none: the "none" algorithm means the token has no signature. Never accept tokens with alg: none unless you explicitly expect unsigned tokens — some early JWT libraries had a vulnerability where an attacker could strip the signature and set alg: none to forge arbitrary tokens.

Expiry and refresh patterns

Every JWT should have an exp claim. A reasonable access token lifetime is 15 minutes to 1 hour. Short-lived tokens limit the damage if a token is stolen.

Long sessions use refresh tokens: a longer-lived opaque token stored securely (HttpOnly cookie) that can be exchanged for a new short-lived access token. The refresh token can be revoked server-side; the access token cannot (until it expires).

JWTs are not sessions

A common misconception: JWTs can replace server-side sessions. They cannot be revoked before expiry (without a server-side allowlist/denylist that defeats the stateless advantage). They are not encrypted by default. They grow larger with each added claim.

Use JWTs for short-lived authentication tokens in distributed systems. Use server-side sessions for long-lived user sessions in traditional web apps where you can control session invalidation on logout.

Related tools

Developer

Base64 Encoder / Decoder

Encode, decode, download. Runs in your browser.

Developer

Hash Generator

Five algorithms. One paste. Instant checksums.

Developer

JSON Formatter

Paste JSON. Format, validate, and minify in seconds.