OhMyApps
Back to Blog
Tools Developer JWT Authentication Tutorial

JWT Decoder: How to Inspect JSON Web Tokens

3 min read By OhMyApps

JSON Web Tokens (JWTs) are everywhere in modern web development. They’re used for authentication, authorization, and securely transmitting information between parties. But when something goes wrong with auth, you need to quickly inspect what’s inside a token.

What is a JWT?

A JWT is a compact, URL-safe token format defined by RFC 7519. It consists of three parts separated by dots:

xxxxx.yyyyy.zzzzz
  |      |      |
Header Payload Signature

Each part is Base64URL-encoded JSON (except the signature, which is a hash).

JWT Structure

The header typically contains two fields:

{
  "alg": "HS256",
  "typ": "JWT"
}
  • alg — The signing algorithm (HS256, RS256, ES256, etc.)
  • typ — The token type (always “JWT”)

Payload (Claims)

The payload contains the actual data, called “claims”:

{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "john@example.com",
  "role": "admin",
  "iat": 1516239022,
  "exp": 1735689600
}

Registered claims (standardized):

  • iss — Issuer
  • sub — Subject (usually user ID)
  • aud — Audience
  • exp — Expiration time (Unix timestamp)
  • iat — Issued at time
  • nbf — Not valid before

Custom claims can be anything your application needs (name, role, permissions, etc.).

Signature

The signature verifies the token hasn’t been tampered with. It’s created by signing the encoded header and payload with a secret key.

How to Use Our JWT Decoder

  1. Paste your JWT token into the input field
  2. The tool automatically decodes the header and payload in real-time
  3. View the algorithm, issued time, and expiration at a glance
  4. Check if the token is expired or still valid
  5. Copy the decoded header or payload as formatted JSON

What This Tool Does NOT Do

Our decoder only reads the public data in a JWT — it does not verify the signature. Signature verification requires the secret key or public key, which should never be exposed in a browser tool.

Common JWT Debugging Scenarios

Token is Expired

If your API returns 401, decode the token and check the exp claim. If the current time is past the expiration, the token needs to be refreshed.

Wrong Audience or Issuer

Some APIs validate the aud (audience) and iss (issuer) claims. Decode the token to verify these match what the API expects.

Missing Claims

If your app expects certain custom claims (like role or permissions), decode the token to verify the identity provider is including them.

Clock Skew

If tokens seem to expire too early, check the iat (issued at) time. A clock difference between the server issuing tokens and the server validating them can cause issues.

Security Notes

  • Never share JWTs in public channels — they contain user data
  • JWTs are not encrypted by default — anyone can read the payload
  • Always validate tokens server-side; never trust client-side decoding for authorization
  • Set reasonable expiration times (15 minutes to 1 hour for access tokens)

Try our free JWT Decoder tool to quickly inspect any JWT token right in your browser.

Try Ghost Image Hub

The Chrome extension that makes managing your Ghost blog images a breeze.

Learn More
Back to all articles