JWTs are the backbone of modern authentication — used by Firebase, Auth0, Supabase, and countless APIs. Yet many developers treat them as opaque strings. Decoding a JWT reveals the header algorithm, payload claims, expiration time, and user data. This transparency is both JWT's strength and its security consideration.
What Is JWT Decoder?
A JWT (JSON Web Token) has three Base64-encoded parts separated by dots: header.payload.signature. Our JWT Decoder splits and decodes all three parts, highlighting expiration times and common claims.
How to Use JWT Decoder on DevToolHub
- Open the JWT Decoder tool on DevToolHub — no signup required.
- Paste or enter your input data in the left panel.
- See the result instantly in the output panel.
- Copy the result or download it as a file.
Inside a JWT Token
Decode the three parts of a real JWT:
// Encoded JWT
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIn0.signature
// Decoded Header
{"alg": "HS256", "typ": "JWT"}
// Decoded Payload
{
"sub": "1234567890",
"name": "Alice",
"iat": 1516239022,
"exp": 1716239022
}
// Common claims:
// sub = subject (user ID)
// iat = issued at
// exp = expiration time
// iss = issuerPro Tips
- JWTs are encoded, NOT encrypted — anyone can read the payload by Base64-decoding it
- Never store sensitive data (passwords, credit cards) in JWT claims — they're readable by anyone
- Check the 'exp' claim to debug 'token expired' errors — compare with the current Unix timestamp
- The 'alg: none' vulnerability allows unsigned tokens — always validate the signature server-side
When You Need This
- Debugging authentication failures by inspecting token claims
- Verifying token expiration times during development
- Checking which user permissions are encoded in a token
- Auditing JWT payloads for accidentally exposed sensitive data
Free Tools Mentioned in This Article