How to Decode JWT Tokens

by Raj

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. They are widely used for authentication and information exchange.

Structure of a JWT

A JWT typically consists of three parts separated by dots (.):

  1. Header: Contains the type of token (JWT) and the signing algorithm being used (e.g., HMAC SHA256 or RSA).
  2. Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
  3. Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.

How to Decode a JWT

While JWTs are Base64Url encoded, they are not encrypted (unless using JWE). This means anyone can decode the header and payload to read the contents.

Warning: Because the payload is easily readable, never put secret information (like passwords) in the payload or header elements of a JWT unless it is encrypted.

Using Our Tool

We have built a simple, secure, client-side tool to help you decode and inspect your JWT tokens. Since it runs entirely in your browser, your tokens are never sent to a server.

Try the JWT Decoder Tool

Manual Decoding

If you want to decode a JWT manually in JavaScript, you can split the token and decode the parts:

function parseJwt (token) {
    var base64Url = token.split('.')[1];
    var base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
    var jsonPayload = decodeURIComponent(window.atob(base64).split('').map(function(c) {
        return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
    }).join(''));

    return JSON.parse(jsonPayload);
}

However, dealing with proper Base64 URL decoding and UTF-8 characters can be tricky. That’s why using a library like jwt-decode or our online tool is recommended.

Conclusion

Understanding what’s inside your JWTs is crucial for debugging authentication issues. Use our JWT Decoder to quickly inspect your tokens.

Related articles