JWT Decoder Guide: Read Token Claims Safely
A JSON Web Token, or JWT, often appears in authentication systems as three long Base64URL-looking strings separated by dots. The JWT Decoder helps you inspect those parts without setting up a project or writing a script.
For beginners, the key point is simple: decoding is not the same as trusting. A decoder can read the header and payload. It does not prove the token is valid, unmodified, or safe to accept.
What a JWT Contains
Most JWTs have three parts:
- Header: usually includes the token type and signing algorithm.
- Payload: includes claims such as subject, issuer, issued time, expiration time, roles, or custom app data.
- Signature: helps a server verify that the token was signed by the expected party.
The OhMyApps decoder displays the header and payload as readable JSON and highlights common time-based fields such as iat and exp.
How to Use the Decoder
- Open the JWT Decoder.
- Paste the token into the input box.
- Confirm it has three dot-separated parts.
- Read the header to see the declared algorithm.
- Read the payload to inspect claims such as
sub,iss,aud,iat, andexp. - Treat the output as inspection only unless your backend verifies the signature.
This is useful when debugging login flows, checking why an API request is rejected, confirming whether a token is expired, or explaining what a client app is sending to a server.
Claims Beginners Should Check
Start with exp, the expiration time. If it is in the past, the token should normally be rejected. Then check iss, the issuer, and aud, the audience, because those fields describe who issued the token and who it was intended for. sub usually identifies the user or subject.
Custom claims vary by application. A role like admin in the payload is not proof that the user is an admin unless the signature is verified and the server trusts the issuer.
Important Security Boundary
A JWT payload is encoded, not encrypted. Anyone who has the token can usually read the header and payload. Do not put passwords, API secrets, private personal data, or sensitive business information into a JWT payload unless the token is separately encrypted and your security model accounts for it.
The decoder does not ask for a secret key and does not verify signatures. That is intentional for a lightweight browser tool. If you need to validate a production token, use your application code, identity provider tooling, or a trusted backend environment.
Nearby Tools
JWTs often sit next to other developer tasks. Use JSON Formatter for copied claim objects, Base64 Encode/Decode for simpler encoded text, 2FA Code Generator for TOTP debugging, and Hash Generator for digest checks.
Privacy Note
Do not paste live access tokens, refresh tokens, or customer session tokens into tools unless your policy allows it. Prefer expired, redacted, or local development tokens when writing bug reports.
Try the free JWT Decoder when you need to inspect token claims quickly and understand what they mean.
Related Articles
May 6, 2026
Regex Tester Guide: Debug Patterns Without Guesswork
Learn how to test regular expressions with sample text, flags, live matches, capture groups, and beginner-friendly debugging habits.
March 13, 2026
JSON Formatter and Validator Guide: Fix, Read, and Share JSON
A practical beginner guide to formatting, validating, debugging, and safely sharing JSON snippets with the free OhMyApps JSON formatter.
June 8, 2026
Random Color Generator Guide: HEX and RGB Ideas
A short guide to generating random colors, copying HEX values, reviewing RGB output, and using color history responsibly.
June 1, 2026
Dice Roller Guide: Roll d6, d20, and Modifiers
A short guide to rolling virtual dice, choosing sides and quantities, adding modifiers, and reading roll history.