What is JWT and How to Decode It

April 1, 2026

jwtauthenticationsecurity

What is a JSON Web Token (JWT)?

JSON Web Token (JWT, pronounced “jot”) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

JWTs are widely used in modern web applications for authentication and authorization. When a user logs in, the server creates a JWT containing the user’s identity and permissions, and sends it back to the client. The client then includes this token in subsequent requests.

JWT Structure

A JWT consists of three parts separated by dots (.):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

The header typically contains two fields:

alg — the signing algorithm (e.g., HS256, RS256)
typ — the token type (JWT)

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains claims — statements about the user and additional data:

Registered claims: iss (issuer), sub (subject), exp (expiration), iat (issued at)
Public claims: Defined by the user (e.g., name, email, role)
Private claims: Custom claims agreed upon by parties

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "iat": 1516239022,
  "exp": 1516325422
}

3. Signature

The signature verifies that the token hasn’t been tampered with:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

How to Decode a JWT

You can decode a JWT to inspect its contents using our JWT Decoder tool:

Paste the JWT token
View the decoded header and payload
Check the expiration status

Since the header and payload are just Base64url-encoded (not encrypted), anyone can decode them. The signature is what prevents tampering — but you need the secret key to verify it.

JWT vs Session Cookies

Feature	JWT	Session Cookie
Storage	Client-side	Server-side
Scalability	Stateless, scales easily	Requires session store
Size	Can be large	Small (just an ID)
Revocation	Difficult (until expiry)	Easy (delete from store)

Security Best Practices

Always verify the signature on the server
Set short expiration times
Use HTTPS to prevent token interception
Never store sensitive data in the payload (it’s not encrypted)
Use refresh tokens for long-lived sessions
Validate the iss and aud claims

Try It Yourself

Use our JWT Decoder to decode and inspect any JWT token. You can also use our Base64 Decoder to manually decode individual JWT parts.