If you have built a web application or mobile app in the last ten years, you have almost certainly interacted with a JSON Web Token (JWT).
They are the backbone of modern authentication. However, to junior developers or non-technical managers, a JWT just looks like a massive, terrifying string of random gibberish characters (eyJhbGci...).
The biggest misconception in web development is that JWTs are encrypted and secretly hide your data. They are not.
In this guide, we'll explain exactly what a JWT is, how to easily crack one open to read the data inside, and why they are designed the way they are.
Paste your token into our Free JWT Decoder. We will instantly parse the header and payload directly in your browser without sending the token over the internet.
What actually is a JWT?
A JSON Web Token (pronounced "JOT") is a compact, URL-safe way for two parties to securely transmit information.
Think of a JWT like a hotel keycard. When you check in at the front desk (logging into an app with a username/password), the desk clerk verifies who you are and physically hands you a plastic keycard (the JWT). You then present that keycard to the elevator and your room door to prove you have permission to be there. The door doesn't need to ask the front desk who you are; it just trusts the keycard.
But the most important rule of a JWT is this:
JWTs are signed, not encrypted. Anyone who intercepts the token can read the data inside it, but they cannot modify the data without breaking the signature.
The anatomy of a token
If you look closely at a JWT, you'll see it is actually three distinct text strings separated by two periods (.).
1. The Header (Red)
This declares the type of token (JWT) and the hashing algorithm being used to sign it (usually HMAC SHA256 or RSA).
2. The Payload (Green)
This is where the actual data lives. It contains "claims"—statements about an entity (typically, the user) and additional data like expiration times (exp).
3. The Signature (Blue)
This is the security mechanism. The server uses a highly guarded Secret Key to mathematically fuse the Header and Payload together. If a hacker intercepts the token and tries to change their "role" from "user" to "admin", the signature will no longer match the payload, and the server will instantly reject the fake token.
How to Decode a JWT
Because the Header and Payload are merely encoded using Base64Url (a simple alphabet-shifting technique), downloading special software isn't completely necessary. However, relying on a dedicated web tool makes formatting the data massively easier.
- Copy your entire JWT string (starting with
eyJ). - Open our client-side JWT Decoder Tool.
- Paste the string into the input box.
The tool will instantly separate the three pieces and translate the Base64 Header and Payload back into readable JSON. You'll immediately be able to see exactly what user ID is stored in the token and when it expires.
The danger of decoding online
While decoding a JWT is a standard debugging process, pasting production (live) tokens into random websites is an extreme security risk. If you paste a live token pointing to your production database into a server-side decoder that secretly logs queries, you have just handed a hacker the keys to your system.
Our tools are intentionally built using client-side architecture. This means the JavaScript decoding logic runs directly inside your Chrome or Safari browser memory. Your token never leaves your laptop.
Debug Your Tokens Safely
Crack open JWT headers and payloads instantly in your browser to debug your auth flows.
Open Token DecoderFrequently Asked Questions
Can I decode the Signature portion?
No. The signature is a cryptographically irreversible hash, not an encoded string. You cannot "decode" it back into the server secret. You can only re-calculate the hash (if you happen to know the server secret) to verify if it matches the signature on the token.
Why do we use JWTs if they aren't fully encrypted?
Speed and scale. Traditional sessions require the server to constantly look up a user in a massive database on every single API request. JWTs are "stateless". The server simply checks the math on the signature. If the math checks out, the server trusts the user ID inside the payload instantly without touching the database.
How do I log out a user using a JWT?
This is famously difficult. Because JWTs are stateless, you cannot simply "delete" the token on the server side. You must either wait for the token's built-in expiration time (exp) to pass, or maintain a secondary database "blacklist" of revoked tokens—which defeats the entire "stateless" benefit of using JWTs in the first place.