JWT Decoder — by BitTools

JSON Web Tokens (JWT) carry claims (e.g., user id, roles, expiry) in a compact, URL-safe way. This guide explains how to decode JWTs safely in your browser.

How to use the JWT Decoder

1. Paste your JWT (three dot-separated parts) into the input.
2. Click Decode to view the header and payload as formatted JSON.
3. Review claims like iss, sub, aud, iat, exp.
4. Open the JWT Decoder

Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkppbSIsImlhdCI6MTUxNjIzOTAyMn0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded header

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded payload

{
  "sub": "1234567890",
  "name": "Jim",
  "iat": 1516239022
}

Best practices

• Do not trust decoded data: Decoding is not verification—anyone can change payloads.
• Verify signatures server-side: Use your language’s JWT library with the correct keys.
• Check expiry: Reject tokens past exp or not valid before nbf.
• Validate audience/issuer: Ensure aud/iss match expected values.
• Avoid secrets in payload: JWT payload is base64url-encoded, not encrypted.

Common pitfalls

• Assuming HS256 vs RS256 without checking the alg header.
• Using the same key for multiple tenants without isolation.
• Relying on clock-skewed systems when validating exp/nbf.

FAQs

Is decoding the same as verification?

No. Decoding only reveals the header and payload. Verification requires the signing key or public key.

Are tokens encrypted?

Standard JWTs are not encrypted by default. Use JWE if you need encryption.

Does the tool upload my JWT?

No. Decoding happens locally in your browser.

Try it now: JWT Decoder