Free Tools
Jul 7, 2026

What Is a JWT? How to Read and Decode a JSON Web Token

A JWT is three Base64 chunks separated by dots — a header, a payload of claims, and a signature. Here's how to read one, what each part means, and why decoding is not the same as trusting.

If you've worked with an API or a login system, you've seen a JWT — a long string like eyJhbGci... that shows up in an Authorization: Bearer header. JWT stands for JSON Web Token, and once you know its shape it's easy to read.

The three parts

A JWT is three Base64URL-encoded sections joined by dots:

header.payload.signature
  • Header — metadata: the token type and the signing algorithm (e.g. HS256, RS256).
  • Payload — the claims: the actual data, such as the user id (sub), who issued it (iss), and when it expires (exp). These are just JSON.
  • Signature — a cryptographic signature over the header and payload, created with a secret or private key.

Decoding is not the same as verifying

Here's the part that matters for security: the header and payload are only encoded, not encrypted. Anyone can Base64-decode them and read every claim — so never put secrets in a JWT payload.

The signature is what makes a JWT trustworthy. Decoding shows you the contents; verifying the signature against the issuer's key is what proves the token is authentic and unaltered. A server must always verify — reading the claims without checking the signature is how tokens get forged.

Reading expiry

The exp claim is a Unix timestamp (seconds since 1970). If it's in the past, the token is expired and should be rejected regardless of whether the signature is valid. iat (issued-at) and nbf (not-before) work the same way.

Inspect one safely

To read a token's header and payload, use the free JWT Decoder. It decodes entirely in your browser — the token never leaves your device, which matters because a real JWT is a live credential. Use it to debug auth flows, check what claims a token carries, and read its expiry.

JWT Decoder | Base64 Encoder / Decoder | Hash Generator | All free tools

Keep reading

More from Pyalm

Jul 7, 2026

How to Make a Company Seal or Stamp Online (Round & Rectangle)

You don't need a design tool to create a company seal. Here's how to build a round or rectangle stamp online, what to put on each, and how to export it with a transparent background.

Jul 7, 2026

How to Convert SVG Code to PNG (and Save SVG as a File)

Copied an icon and ended up with a block of SVG markup instead of a file? Here's how SVG and PNG differ, when to use each, and how to turn pasted SVG code into a usable image in your browser.

Jul 7, 2026

How to Create a Strong Password — and Check If Yours Holds Up

Length beats complexity, uniqueness beats cleverness, and a manager beats your memory. Here's how to create passwords that actually resist cracking — and how to test the ones you already use.

Jul 7, 2026

What Is a Hash? MD5, SHA-1 and SHA-256 Explained

A hash turns any input into a fixed-length fingerprint that can't be reversed. Here's what hashing is for, how MD5, SHA-1 and SHA-256 differ, and which you should actually use.

Jul 7, 2026

What Is Base64 Encoding? How and When to Use It

Base64 turns binary data into plain text so it can travel through systems that only handle text. Here's how it works, why it's not encryption, and the everyday places you'll meet it.

Jul 7, 2026

How to Scan a QR Code from an Image or Screenshot (No Phone Needed)

When the QR code is already on your screen, pointing a phone camera at it is awkward. Here's how to read a QR code straight from an image file or screenshot on your computer.

Explore Pyalm Products & Tools

Smart, focused software built in Dubai — from free WhatsApp utilities to AI identity verification and accounting.

Free Tools Products