{}
JSONKit
jwtauthenticationsecurity

JWT Tokens Explained — How They Work and How to Decode Them

·8 min read

What is a JWT Token?

A JSON Web Token (JWT) is a compact, URL-safe token used to transmit information between two parties. JWTs are widely used for authentication — when you log into a web app, the server often sends back a JWT that your browser stores and sends with every future request.

JWT Structure

A JWT has three parts separated by dots:

eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiUmF2aSJ9.signature
     Header                Payload               Signature

Each part is Base64Url encoded.

Header — specifies the signing algorithm:

json
{ "alg": "HS256", "typ": "JWT" }

Payload — contains the claims (user data):

json
{
  "sub": "user_123",
  "name": "Ravi Mehta",
  "iat": 1700000000,
  "exp": 1700086400
}

Signature — verifies the token was not tampered with.

How to Decode a JWT with JSONKit

Open the JWT Decoder at /jwt-decoder and paste your token. JSONKit decodes the header and payload instantly and shows:

  • Human-readable dates for iat, exp and nbf claims
  • A green banner if the token is still valid or red if it has expired
  • A description of each standard claim (sub, iss, aud, exp, iat, jti)
  • Color-coded token parts matching the standard JWT color convention

Your token never leaves your browser. Decoding happens entirely in JavaScript using atob().

Security Notes

Never put sensitive data in the payload — it is only encoded, not encrypted. Always verify the signature on the server using the secret key. Check the exp claim — expired tokens should be rejected. Never decode JWTs on a third-party website you do not trust.

Try JWT Decoder

Decode JWT tokens and inspect headers, claims and expiry.

Open JWT Decoder

Related articles

JWT Tokens — How to Decode and Inspect Them Safely