Question 1

How do I decode a JWT token?

Accepted Answer

Paste your JWT into the input field above and the decoder instantly splits it at each dot (.), Base64URL-decodes each part, and displays the header (algorithm, type), payload (claims like sub, iat, exp), and signature section. No button needed — decoding happens as you type.

Question 2

What is a JWT?

Accepted Answer

A JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a signed JSON object. JWTs are used for authentication — after login, a server issues a JWT that the client sends with each request. The server validates the signature without querying a session database.

Question 3

What are the three parts of a JWT?

Accepted Answer

A JWT has three Base64URL-encoded sections separated by dots: (1) Header — token type and signing algorithm (e.g. HS256, RS256). (2) Payload — claims like user ID (sub), issued time (iat), expiry (exp), and custom data. (3) Signature — cryptographic proof the token hasn't been tampered with.

Question 4

What does a decoded JWT look like?

Accepted Answer

A decoded JWT shows two JSON objects: the header (e.g. {"alg":"HS256","typ":"JWT"}) and the payload containing claims such as {"sub":"user123","iat":1700000000,"exp":1700003600}. The signature is binary data not directly readable as JSON.

Question 5

Can I verify a JWT signature here?

Accepted Answer

This tool decodes and displays JWT contents without verifying the signature. Signature verification requires the server's public key (RS256) or HMAC secret (HS256). Use the JWT Debugger tool for interactive signature verification.

Question 6

Is it safe to paste a JWT here?

Accepted Answer

Decoding is pure Base64URL decoding — no data is sent to any server. However, avoid pasting live production JWTs that grant access to sensitive systems. For debugging expired or test tokens, this tool is completely safe to use.

Question 7

Where do I find a JWT token to decode?

Accepted Answer

JWTs appear in browser storage (localStorage or sessionStorage), HTTP Authorization headers (Bearer <token>), cookies, and API responses. Use browser DevTools → Application → Storage to find JWTs from web apps. Network tab shows Authorization headers. Paste the three-part dot-separated string into the decoder. For creating tokens, use DevDecode's JWT Encoder.

Question 8

Can a decoded JWT be used to log in?

Accepted Answer

No. Decoding a JWT only reads its claims — it doesn't verify the signature or grant access. The signature is validated by the server using a secret or public key. If someone intercepts a valid, unexpired JWT, they can reuse it until expiry, which is why HTTPS is essential. Use short expiry times and rotate secrets regularly.

JWT Decoder — Free Online JSON Web Token Decoder

Frequently Asked Questions

Understanding JSON Web Tokens

Related Tools

JWT Encoder

JWT Debugger

SAML Decoder

Cookie Decoder