How to Decode JWT Tokens
JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. They are widely used for authentication and information exchange.
Structure of a JWT
A JWT typically consists of three parts separated by dots (.):
- Header: Contains the type of token (JWT) and the signing algorithm being used (e.g., HMAC SHA256 or RSA).
- Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
- Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.
How to Decode a JWT
While JWTs are Base64Url encoded, they are not encrypted (unless using JWE). This means anyone can decode the header and payload to read the contents.
Warning: Because the payload is easily readable, never put secret information (like passwords) in the payload or header elements of a JWT unless it is encrypted.
Using Our Tool
We have built a simple, secure, client-side tool to help you decode and inspect your JWT tokens. Since it runs entirely in your browser, your tokens are never sent to a server.
Manual Decoding
If you want to decode a JWT manually in JavaScript, you can split the token and decode the parts:
function parseJwt (token) {
var base64Url = token.split('.')[1];
var base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
var jsonPayload = decodeURIComponent(window.atob(base64).split('').map(function(c) {
return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
}).join(''));
return JSON.parse(jsonPayload);
}
However, dealing with proper Base64 URL decoding and UTF-8 characters can be tricky. That’s why using a library like jwt-decode or our online tool is recommended.
Conclusion
Understanding what’s inside your JWTs is crucial for debugging authentication issues. Use our JWT Decoder to quickly inspect your tokens.
Related articles
HMAC Generator: Secure Message Authentication Made Simple (2026)
Generate HMAC-SHA256 and HMAC-SHA512 signatures for API authentication, webhook validation, and data integrity. Learn cryptographic security best practices.
How to Generate UUIDs v4: The Complete Developer Guide (2026)
Learn how to generate UUIDs v4 online securely. Bulk generate unique identifiers, understand UUID structure, and use cases for databases, APIs, and session tokens.
Why Never Use Base64 for Passwords
Encoding is not encryption. Learn why Base64 offers zero security for protecting passwords and what to use instead.