Utilikits
EN|ES
Back to Blog

What Is a JWT and How to Decode It Safely?

2026-05-224 min read

JSON Web Tokens (JWTs) are the default authentication format for REST APIs, OAuth flows, and single-page apps. They look like random strings, but each one encodes structured data you can read in seconds — no server call needed.

JWT Structure: Three Sections

A JWT is three Base64URL-encoded strings joined by dots: header.payload.signature. You can spot one immediately — it starts with "eyJ" (the Base64 encoding of the opening brace of a JSON object).

  • Header: algorithm used to sign the token (e.g., HS256, RS256) and the token type ("JWT").
  • Payload: the claims — data the server embedded, such as user ID, email, roles, and expiry time.
  • Signature: a cryptographic checksum. Without the secret key, the signature cannot be forged or verified client-side.

Decoding vs. Verifying — A Critical Distinction

Decoding reads the header and payload by reversing the Base64 encoding. Anyone can do it — no key needed. Verifying checks that the signature is valid, meaning the token was signed by a trusted server. You must verify on the server before trusting any claim for authorization. Decoding alone tells you what is inside; it does not tell you whether to trust it.

Common Claims to Look For

  • sub — subject, typically the user ID.
  • exp — expiry time as a Unix timestamp. A token past this time is invalid.
  • iat — issued-at time, when the token was created.
  • iss — issuer, which server or service created the token.
  • roles or permissions — custom claims for access control.

How to Decode a JWT Online

  1. Copy your JWT from a browser network tab, API response, or auth cookie.
  2. Open the JWT Decoder tool.
  3. Paste the token into the input.
  4. Read the decoded header and payload — they display as formatted JSON.
  5. Check the exp field: it is a Unix timestamp. Convert it to a human-readable date to verify the token has not expired.

Tip: The payload section is just Base64URL-encoded JSON. You can also paste just the payload section (the middle part between the two dots) into the Base64 Decode tool to read it.

JWT DecoderBase64 Decode

Security Notes

  • Never paste a production JWT containing sensitive claims into a third-party decoder you do not control. The payload is readable — treat it like a password when it carries user data.
  • JWTs are signed, not encrypted by default. Anyone who intercepts the token can read the claims. Use HTTPS to prevent interception.
  • Decoding a token in the browser does not validate it. Authorization decisions must always happen on the server, where the signing key is available.
  • Watch for the "alg: none" attack — a malformed token that claims no signature is needed. Properly configured libraries reject these automatically.

Related Tools

Jwt Decoder
What Is a JWT and How to Decode It Safely? | Utilikits Blog | Utilikits