JWT Decoder Tutorial
Detailed guide, best practices, and FAQ
Use Cases
The JWT decoder is useful for debugging login tokens, verifying user identity, checking token expiration, and troubleshooting permission issues. Use it to view the Header and Payload of a dot-separated JWT token.
Features
- Auto-parse: paste to decode Header and Payload instantly
- JSON formatting: decoded results are auto-beautified
- Expiration check: automatically detects if the token is expired
- Sample token: built-in example for quick exploration
- Local decoding: token never uploaded, safe and secure
Examples
Example 1: Scenario 1: After frontend login, paste the token to view user ID, role, and expiration time.
Example 2: Scenario 2: Backend API returns 401 Unauthorized — decode the token to check if it expired or has insufficient permissions.
Example 3: Scenario 3: Compare the Payload of two tokens to confirm whether permissions were updated after a token refresh.
Best Practices
- Never share your token with anyone, even though decoding is local
- JWT is not encrypted by default — anyone can decode the Payload, so do not store sensitive data
- Always transmit tokens over HTTPS to prevent man-in-the-middle attacks
- Set expiration to 1-2 hours and pair with a refresh token
FAQ
Is JWT secure? Can it be tampered with?
JWT uses a Signature to prevent tampering — modifying the Payload breaks the signature match. But JWT is not encrypted by default, so anyone can decode the Payload. Do not store sensitive data in a token.
Why does my token show as expired?
Check the exp field in the Payload (expiration timestamp). If the current time exceeds exp, the token is expired and you need to use a refresh token to get a new one.
Can it decode encrypted JWTs?
This tool only decodes unencrypted JWTs (signed with HS256/RS256 etc.). Encrypted JWTs (JWE) require a key to decrypt and are not supported here.