JWT Decoder

JWT stands for JSON Web Token. It is a compact, URL-safe way of passing claims between two parties, most commonly used to authenticate users in web applications and APIs. When a user logs in, the server creates a JWT and sends it back to the client. The client then includes that token in future requests so the server can verify the identity without checking the database every time. The JWT Decoder from FileReadyNow lets you open any token and read what is inside it without writing a single line of code.

What a JWT Actually Contains

A JWT is made up of three base64url-encoded sections joined by dots. The first is the header, which describes the token type and the algorithm used to sign it, usually something like HS256 or RS256. The second is the payload, which carries the actual claims, meaning the data the token is asserting. This is where you find things like the user ID, email address, roles, issue time, and expiry time. The third is the signature, which is created by signing the first two parts with a secret or private key. The signature cannot be decoded into readable data on its own because it is a cryptographic hash, not encoded content.

How to Read the Decoded Output

Once you paste a token and click Decode, the tool splits it at the dots and base64url-decodes the header and payload into formatted JSON. You can read each field directly. The most important fields to check are usually:

• exp which tells you when the token expires, shown as a Unix timestamp and converted to a human-readable date
• iat which tells you when the token was issued
• sub which identifies the subject, usually the user ID
• iss which identifies the issuer, the server or service that created the token
• aud which specifies the intended audience for the token
• alg in the header, which tells you the signing algorithm

What This Tool Does Not Do

Decoding and verifying are two different things. Decoding simply reads the base64url-encoded content, which anyone can do. Verifying means checking the signature against the secret or public key to confirm the token has not been tampered with. This tool only decodes. It cannot verify signatures because that requires the secret key or RSA public key, which should never be entered into a browser-based tool. If you need to verify a token's signature, do that server-side in your own application code using a proper JWT library.

Common Reasons to Decode a JWT

• Debugging authentication issues: When a request fails with a 401 or 403, decoding the token lets you check whether it has expired, whether the user ID is correct, or whether the expected role or scope is missing from the claims.
• Checking expiry during development: When you are building an app and want to know how long the token you received is valid for, decoding it gives you the exact expiry timestamp.
• Inspecting third-party tokens: When integrating with an external service like an OAuth provider, decoding its tokens shows you exactly what claims it includes and what format it uses.
• Understanding algorithm and type: The header tells you which signing algorithm the token uses, which matters when you are configuring your server to accept or reject certain token types.
• Learning and teaching: JWT can seem opaque at first. Seeing the decoded content makes it immediately clear how the three parts fit together and what information travels inside the token.