How to Decode JWT Tokens — Developer Guide

What Is a JWT Token?

A JSON Web Token (JWT) is a compact, URL-safe string used to transfer claims between two parties. JWTs are the standard for authentication in modern web applications — when you log in to a site, you likely receive a JWT.

A JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcyIsImlhdCI6MTcxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

It has three parts separated by dots: Header, Payload, and Signature.

JWT Structure Explained

1. Header

The header specifies the signing algorithm and token type:

{
  "alg": "HS256",
  "typ": "JWT"
}

Common algorithms:

2. Payload (Claims)

The payload contains claims — statements about the user and metadata:

{
  "sub": "1234567890",
  "name": "Kas",
  "email": "kas@example.com",
  "role": "admin",
  "iat": 1716239022,
  "exp": 1716242622
}

Standard claims:

• sub — Subject (user ID)
• iat — Issued at (Unix timestamp)
• exp — Expiration time
• iss — Issuer
• aud — Audience
• nbf — Not before
• jti — JWT ID (unique identifier)

3. Signature

The signature verifies the token hasn't been tampered with:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

How to Decode a JWT

Method 1: Online Tool

The easiest way is to use our free JWT Decoder. Paste your token and instantly see the decoded header and payload with human-readable timestamps.

Method 2: Command Line

# Decode the payload (middle section)
echo "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcyJ9" | base64 -d

# Full JWT decode with jq
echo "YOUR_JWT_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq .

Method 3: JavaScript

function decodeJWT(token) {
  const [header, payload, signature] = token.split('.');
  return {
    header: JSON.parse(atob(header)),
    payload: JSON.parse(atob(payload)),
    signature: signature
  };
}

const decoded = decodeJWT('eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiS2FzIn0.xxx');
console.log(decoded.payload); // { name: "Kas" }

Method 4: Python

import jwt  # pip install PyJWT

# Decode without verification (useful for debugging)
payload = jwt.decode(token, options={"verify_signature": False})
print(payload)

# Decode with verification
payload = jwt.decode(token, "your-secret-key", algorithms=["HS256"])
print(payload)

Method 5: Node.js

const jwt = require('jsonwebtoken');  // npm install jsonwebtoken

// Decode without verification
const decoded = jwt.decode(token, { complete: true });
console.log(decoded.header);
console.log(decoded.payload);

// Verify and decode
const verified = jwt.verify(token, 'your-secret-key');
console.log(verified);

JWT Security Best Practices

1. Always verify signatures — Never trust a JWT without verifying its signature
2. Use short expiration times — Set exp to 15-60 minutes for access tokens
3. Use refresh tokens — Pair short-lived access tokens with longer-lived refresh tokens
4. Don't store sensitive data — Payloads are Base64-encoded, not encrypted
5. Use HTTPS — Always transmit JWTs over encrypted connections
6. Validate the iss and aud claims — Prevent token misuse across services
7. Rotate signing keys — Regularly rotate your secret keys

Common JWT Errors

JWT vs Sessions