{}
JSONKit
jwtauthenticationsecurityapitutorial

JWT Tokens — How to Decode and Inspect Them Safely

·7 min read

What Is a JWT Token?

A JSON Web Token (JWT) is a compact, self-contained token used to represent claims between two parties — usually a user and a server. When you log into a web application, the server typically issues a JWT that your browser stores and sends with every subsequent request to prove your identity.

JWTs are stateless — the server does not need to look up a session in a database for every request. All the information the server needs is encoded inside the token itself.

The Three Parts of a JWT

A JWT has three parts separated by dots, each Base64Url encoded.

Header — specifies the algorithm used to sign the token:

json
{ "alg": "HS256", "typ": "JWT" }

Payload — contains the claims:

json
{
  "sub": "user_123",
  "name": "Ravi",
  "iat": 1700000000,
  "exp": 1700086400
}

Signature — a cryptographic signature that verifies the token has not been tampered with.

Using JSONKit JWT Decoder

Open the JWT Decoder at /jwt-decoder and paste your token. JSONKit shows:

  • Color-coded token parts — header in blue, payload in teal, signature in pink
  • A green banner if the token is still valid or red if expired with the exact expiry date and time
  • Human-readable dates alongside raw Unix timestamps for iat, exp and nbf claims
  • Standard claim descriptions — sub means Subject (user ID), iss means Issuer, aud means Audience, exp means Expiration Time
  • Copy JSON button per section to copy the header or payload independently

Your token is never sent anywhere. Decoding happens entirely in your browser.

Decoding vs Verifying

Decoding reads the header and payload by reversing the Base64Url encoding. Anyone can do this — no secret key is needed. Verifying checks the signature using the secret key to confirm the token was not modified. Verification must only happen on the server.

How to Check Token Expiry in Code

javascript
const payload = JSON.parse(atob(token.split(".")[1]));
const isExpired = Date.now() / 1000 > payload.exp;
console.log(isExpired ? "Token expired" : "Token valid");

JWT Security Best Practices

Never put sensitive data in the payload — it is only encoded, not encrypted. Always verify the signature on the server. Use short expiry times — access tokens should expire in 15 minutes to 1 hour. Always use HTTPS. Never log tokens. For sensitive applications, use HttpOnly cookies instead of localStorage to store tokens.

Try JWT Decoder

Decode and inspect JWT tokens — header, payload and claims.

Open JWT Decoder

Related articles

What is JSON? A Complete Beginner's GuideHow to Validate JSON — 5 Methods ExplainedHow to Format JSON Online — The Complete Guide