TakeThe Tools Logo
Developer Tools 4/15/2026 TakeThe Tools Team

How to Decode a JWT Token Online for Free

Comprehensive Guide

How to Decode a JWT Token Online for Free

Table of Contents

What Is a JWT Token

JWT stands for JSON Web Token. It is an open standard for securely transmitting information between parties as a compact, URL-safe string. You encounter JWTs constantly in modern web development — they are the most common format for authentication tokens in REST APIs.

A JWT looks like three Base64-encoded strings joined by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEwNDIsIm5hbWUiOiJIYXJvb24iLCJyb2xlIjoiZGV2ZWxvcGVyIiwiaWF0IjoxNzE2MDAwMDAwLCJleHAiOjE3MTYwODY0MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This looks like random encrypted text but it is actually structured data. Each section serves a specific purpose and can be read by anyone — JWT is encoded, not encrypted.

The Three Parts of a JWT

Header — The first section. Contains metadata about the token itself: what type of token it is (JWT) and what signing algorithm was used (HS256, RS256, etc.). Decoded, the header above reads:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload — The second section. This is where the actual data lives. Contains claims — statements about the user or entity and additional metadata. Common claims include user ID, username, roles, and expiration time. Decoded, the payload above reads:

{
  "userId": 1042,
  "name": "Haroon",
  "role": "developer",
  "iat": 1716000000,
  "exp": 1716086400
}

Signature — The third section. A cryptographic signature created using the header, the payload, and a secret key. This is what prevents tampering — if anyone modifies the header or payload, the signature will not match and the token is rejected. The signature cannot be verified without the secret key.

How to Decode a JWT Using TakeTheTools

Open the JWT Decoder on TakeTheTools.

Paste your JWT token into the input field. The decoded header and payload appear instantly, formatted as readable JSON.

You can see:

  • The signing algorithm used
  • All claims in the payload
  • The expiration time in human-readable format (not just a Unix timestamp)
  • Whether the token is expired based on the exp claim

Everything runs in your browser. Your token never gets sent to any server, which is important — JWT tokens are authentication credentials and should not be submitted to third-party servers.

Common JWT Claims — What They Mean

JWTs contain claims — key-value pairs with specific meanings. Some are standard registered claims, others are custom claims defined by your application.

iss (Issuer) — Who issued the token. Usually the authentication server's domain.

sub (Subject) — Who the token represents. Typically a user ID.

aud (Audience) — Who the token is intended for. The service that should accept this token.

exp (Expiration Time) — Unix timestamp after which the token is no longer valid. If the current time is past this value, the token is expired. A common source of bugs when tokens expire unexpectedly.

iat (Issued At) — Unix timestamp of when the token was created.

nbf (Not Before) — Unix timestamp before which the token should not be accepted. The token is valid between nbf and exp.

jti (JWT ID) — A unique identifier for the token. Used to prevent a token from being used more than once.

Custom claims — user roles, permissions, email address, username, organization ID — are defined by the application and can be any valid JSON key-value pair.

JWT Is Encoded, Not Encrypted — This Is Critical

The most common misunderstanding about JWT is confusing encoding with encryption.

The header and payload of a JWT are Base64 URL encoded. Anyone who has the token can decode and read its contents — no key required. Paste any JWT into the TakeTheTools decoder and you can read everything in the payload immediately.

This means you should never store sensitive information in a JWT payload — no passwords, no credit card numbers, no private personal data. Treat the JWT payload as visible to anyone who holds the token.

The signature verifies that the token was issued by a trusted party and has not been modified. It does not hide the content.

If you need to transmit sensitive data inside a JWT, use JWE (JSON Web Encryption), which is a separate standard that actually encrypts the payload. This is less common than standard JWT and requires specific library support.

Debugging JWT Issues — When the Decoder Helps

Token expired. The exp claim contains a Unix timestamp. If you are getting "token expired" errors, decode the token and check the exp value. The TakeTheTools decoder shows this as a human-readable date and time, so you can immediately see when the token expired.

Wrong claims. If authorization is failing unexpectedly, decode the token to verify the claims it contains. Is the role claim correct? Is the userId what you expect? Sometimes the token contains stale data from a previous session.

Algorithm mismatch. If your server is configured to verify HS256 tokens but the token's header says RS256, verification will fail. Decoding the header shows the algorithm used.

Audience mismatch. If the aud claim does not match what your server expects, the token will be rejected. Decoding reveals the audience value in the token.

Debugging during development. When building authentication features, decoding your own tokens lets you verify that the payload contains the right data before writing any verification logic.

Security Practices for JWT

Keep tokens short-lived. Set short expiration times — 15 minutes to 1 hour for access tokens. Use refresh tokens for maintaining sessions across longer periods.

Use HTTPS always. JWTs transmitted over HTTP can be intercepted. Always use HTTPS for any request that includes a JWT.

Store tokens safely. In browser applications, storing JWTs in localStorage makes them accessible to JavaScript and vulnerable to XSS attacks. HttpOnly cookies are more secure for browser storage.

Do not store sensitive data in the payload. As explained above, the payload is readable by anyone with the token.

Validate the signature server-side. Decoding a JWT and reading its claims does not verify its integrity. Always verify the signature on the server before trusting any claims in the payload.

Final Thoughts

JWT tokens are everywhere in modern web authentication, and the ability to decode and inspect them quickly is a practical daily tool for any backend or full-stack developer. Knowing what is inside a token — and whether it is expired, what claims it contains, what algorithm it uses — speeds up debugging significantly.

The TakeTheTools JWT Decoder reads any JWT token, formats the header and payload as readable JSON, and shows expiration in human time — all in your browser, never sending your token anywhere.

All Articles
Free Tool

JWT Decoder

Use this tool free — no signup required.

Open Tool