How to decode JWT tokens

June 21, 2026 · 12 min read

A JSON Web Token is three dot-separated segments. Decoding means Base64URL-decoding the first two to JSON - no secret required. Verifying means checking the signature with the issuer's key. Support engineers decode constantly; security engineers insist you still verify before trusting claims in production code.

Split the three parts

Split on .. Segment 1 is the header (algorithm and type). Segment 2 is the payload (claims). Segment 3 is the signature. If you do not get exactly three parts, the token is malformed.

Base64URL decode

Replace URL-safe characters, add padding if needed, then decode. Libraries in every language handle this; manual decode is error-prone when padding is omitted.

// Example decoded payload
{
  "sub": "user_8f3a",
  "iss": "https://auth.example.com",
  "aud": "api.example.com",
  "exp": 1785513600,
  "iat": 1785510000
}

Read important claims

exp - expiry; compare to UTC clock, allow small skew.
nbf - not before; token rejected if current time is earlier.
iss and aud - must match your validator configuration.
sub - stable subject identifier for your user record.

Decode is not verify

Anyone can forge a payload and sign with their own key. Your API must verify with the correct HMAC secret or asymmetric public key and reject alg: none. Use maintained libraries (jose, PyJWT, etc.) in application code.

Use the browser JWT decoder

Paste the token into the JWT decoder to see formatted JSON and human-readable timestamps. Processing stays local - appropriate for staging tokens and learning, not a substitute for server-side verification.

FAQ

Do I need the secret to decode?: No. Only verification requires the secret or public key.
Why is my decoded payload garbled?: Usually wrong Base64 alphabet (standard vs URL-safe) or a token that is encrypted (JWE), not a signed JWT (JWS).

Related: What is a JWT · JWT decoder

Browse all tools