DevToolDock
← Back to blog

How to Decode JWT Tokens

DevToolDock Team

JWTs (JSON Web Tokens) are everywhere in modern authentication. When a login flow breaks, the fastest way to understand what’s happening is to decode the token and inspect the claims. This guide shows how to decode JWTs, what each part means, and what to look for when debugging.

What is a JWT?

A JWT is a compact token that contains JSON data. A standard JWT has three dot-separated segments:

  • Header (Base64url): identifies the signing algorithm and token type
  • Payload (Base64url): the “claims” (user id, roles, expiry, issuer)
  • Signature: proves integrity (was signed by the expected secret/private key)

JWTs are often used as bearer tokens in the Authorization header. They can be signed (JWS) and sometimes encrypted (JWE), though encryption is less common in typical web apps.

Decoding vs verifying (don’t confuse them)

Decoding means reading the header and payload. It does not prove the token is valid. Verification checks the signature using the correct key and ensures claims like exp, aud, and iss are acceptable. When you decode a token in a tool, you’re typically just inspecting it for debugging.

Why decode JWTs?

Decoding is useful when:

  • A user is unexpectedly logged out (check exp / expiry)
  • An API rejects a request (check aud / audience and iss / issuer)
  • Permissions look wrong (check roles/claims in the payload)
  • You suspect you’re using the wrong token (check sub or user id)

How to decode a JWT token online

Use our JWT Decoder to paste a token and instantly view the decoded header and payload. The decoder helps you see JSON claims clearly without manual Base64url conversions.

Security tips

  • Don’t paste production tokens into untrusted tools. DevToolDock tools are designed to run client-side, but always follow your organization’s security policy.
  • Never paste secrets (JWT signing keys). A decoder doesn’t need your secret.
  • Remember signatures matter. A decoded payload can be edited; verification is what makes claims trustworthy.

Related DevToolDock tools

JWT segments are Base64url. If you’re doing deeper debugging, you may also need Base64 tools: Base64 Encoder and Base64 Decoder. To generate test tokens for local development, use the JWT Generator.

Popular tools