What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to transmit information between two parties as a digitally signed JSON object. They are widely used in modern authentication systems — when you log into an app, it often gives you a JWT that you send with every subsequent request to prove who you are.
Decode any JWT instantly: JWT Decoder
The Three Parts of a JWT
A JWT looks like this: xxxxx.yyyyy.zzzzz
Three Base64url-encoded sections separated by dots:
1. Header
Contains the token type and signing algorithm:
{"alg": "HS256", "typ": "JWT"}
Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA).
2. Payload (Claims)
Contains the actual data — who the user is and what they can do:
{"sub": "user_12345", "name": "John Doe", "role": "admin", "iat": 1715688000, "exp": 1715774400}
Standard claims:
| Claim | Meaning |
|---|---|
| sub | Subject — the user ID |
| iss | Issuer — who created the token |
| aud | Audience — who the token is for |
| exp | Expiry time (Unix timestamp) |
| iat | Issued at time (Unix timestamp) |
| nbf | Not before — token invalid before this time |
| jti | JWT ID — unique identifier for the token |
3. Signature
Cryptographically signs the header and payload so the server can verify they have not been tampered with. The signature cannot be verified without the secret key or public key.
How to Decode a JWT
- Go to JWT Decoder
- Paste your JWT token into the input field
- The header, payload and all claims are decoded instantly
- Check the expiry — the tool shows whether the token is still valid and how much time remains
- Review the algorithm, issuer and subject claims
Common JWT Errors and Fixes
TokenExpiredError
The exp claim is in the past. The token has expired. Fix: request a new token by logging in again or refreshing with a refresh token.
JsonWebTokenError: invalid signature
The token was signed with a different secret than the one being used to verify it. Or the token was modified after signing. Fix: ensure the same secret key is used on both sides.
NotBeforeError
The nbf claim is in the future — the token is not yet valid. Fix: check server clock synchronisation.
jwt malformed
The token does not have three dot-separated sections or the Base64url encoding is invalid. Fix: check you are not accidentally truncating the token or adding extra characters.
Security Best Practices
- Never store JWTs in localStorage — use httpOnly cookies to prevent XSS access
- Use short expiry times (15 minutes for access tokens) with refresh tokens for long sessions
- Always verify the algorithm — reject tokens with "alg":"none"
- Validate the iss and aud claims to prevent token substitution attacks
- Use RS256 or ES256 in production — asymmetric algorithms are safer than HS256 for distributed systems
Related Tools
- JWT Decoder — Decode and inspect any JWT
- Base64 Encoder — Decode individual JWT parts
- JSON Formatter — Format decoded JWT payloads
- Hash Generator — Generate HMAC signatures
