JSON Web Tokens (JWTs) are the backbone of modern web authentication. If you work with APIs, OAuth, or any token-based auth system, you'll need to inspect JWTs regularly. This guide shows you how to decode JWT tokens online quickly and securely.

What is a JWT?

A JWT (pronounced "jot") is a compact, URL-safe token that carries claims between two parties. It consists of three Base64URL-encoded parts separated by dots:

header.payload.signature

For example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Structure Explained

1. Header

The header typically contains two fields: the signing algorithm (alg) and the token type (typ):

{
  "alg": "HS256",
  "typ": "JWT"
}

Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA).

2. Payload

The payload contains claims — statements about the user and additional metadata:

{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "john@example.com",
  "role": "admin",
  "iat": 1516239022,
  "exp": 1516242622
}

Standard claims include:

sub (subject) — who the token represents
iat (issued at) — when the token was created
exp (expiration) — when the token expires
iss (issuer) — who issued the token
aud (audience) — intended recipient

3. Signature

The signature verifies the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key or private key.

How to Decode a JWT Online with ToolCove

Go to the JWT Decoder
Paste your JWT token into the input field
The decoded header, payload, and signature information appear instantly
Check the expiration status — ToolCove shows whether the token is expired
Copy any section with one click

Why Use a Client-Side JWT Decoder?

JWT tokens often contain sensitive information — user IDs, email addresses, permissions, and session data. Pasting a valid JWT into a server-side decoder means that server now has your authentication token.

ToolCove's JWT Decoder runs entirely in your browser. The token never leaves your device, making it safe to decode production tokens without security concerns.

Common JWT Debugging Scenarios

Token Expiration Issues

The most common JWT issue is expiration. When a token's exp claim is in the past, the API will reject it. Use the JWT decoder to check the expiration timestamp and compare it to the current time.

Missing or Wrong Claims

APIs often require specific claims like role, scope, or permissions. Decoding the token reveals exactly what claims are present and what values they contain.

Algorithm Mismatches

If the server expects RS256 but receives an HS256 token (or vice versa), authentication will fail. Check the alg field in the header to diagnose algorithm issues.

JWT Security Best Practices

Never store JWTs in localStorage — use httpOnly cookies instead
Set short expiration times — 15-30 minutes for access tokens
Use refresh tokens — rotate access tokens without re-authentication
Validate on the server — never trust the client to validate JWTs
Use strong signing keys — at least 256 bits for HMAC, 2048 bits for RSA

Related Tools

Working with JWTs often involves related tasks:

Base64 Encoder/Decoder — JWT segments are Base64URL-encoded
JSON Formatter — format decoded JWT payloads for readability
Hash Generator — verify hashes and checksums
Timestamp Converter — convert iat and exp Unix timestamps

How to Decode JWT Tokens Online — Complete Guide