OhMyApps
Back to Blog
Tools Developer Tutorial JWT Authentication

JWT Decoder Guide: Read Token Claims Safely

3 min read By OhMyApps

A JSON Web Token, or JWT, often appears in authentication systems as three long Base64URL-looking strings separated by dots. The JWT Decoder helps you inspect those parts without setting up a project or writing a script.

For beginners, the key point is simple: decoding is not the same as trusting. A decoder can read the header and payload. It does not prove the token is valid, unmodified, or safe to accept.

What a JWT Contains

Most JWTs have three parts:

  • Header: usually includes the token type and signing algorithm.
  • Payload: includes claims such as subject, issuer, issued time, expiration time, roles, or custom app data.
  • Signature: helps a server verify that the token was signed by the expected party.

The OhMyApps decoder displays the header and payload as readable JSON and highlights common time-based fields such as iat and exp.

How to Use the Decoder

  1. Open the JWT Decoder.
  2. Paste the token into the input box.
  3. Confirm it has three dot-separated parts.
  4. Read the header to see the declared algorithm.
  5. Read the payload to inspect claims such as sub, iss, aud, iat, and exp.
  6. Treat the output as inspection only unless your backend verifies the signature.

This is useful when debugging login flows, checking why an API request is rejected, confirming whether a token is expired, or explaining what a client app is sending to a server.

Claims Beginners Should Check

Start with exp, the expiration time. If it is in the past, the token should normally be rejected. Then check iss, the issuer, and aud, the audience, because those fields describe who issued the token and who it was intended for. sub usually identifies the user or subject.

Custom claims vary by application. A role like admin in the payload is not proof that the user is an admin unless the signature is verified and the server trusts the issuer.

Important Security Boundary

A JWT payload is encoded, not encrypted. Anyone who has the token can usually read the header and payload. Do not put passwords, API secrets, private personal data, or sensitive business information into a JWT payload unless the token is separately encrypted and your security model accounts for it.

The decoder does not ask for a secret key and does not verify signatures. That is intentional for a lightweight browser tool. If you need to validate a production token, use your application code, identity provider tooling, or a trusted backend environment.

Nearby Tools

JWTs often sit next to other developer tasks. Use JSON Formatter for copied claim objects, Base64 Encode/Decode for simpler encoded text, 2FA Code Generator for TOTP debugging, and Hash Generator for digest checks.

Privacy Note

Do not paste live access tokens, refresh tokens, or customer session tokens into tools unless your policy allows it. Prefer expired, redacted, or local development tokens when writing bug reports.


Try the free JWT Decoder when you need to inspect token claims quickly and understand what they mean.

OhMyStar icon

macOS

Try OhMyStar

The best way to organize your GitHub Stars

Learn More