JWT Decoder Guide
JWTs are commonly used for API authentication. Decoding them helps you inspect claims and metadata during integration and troubleshooting.
What it is
- A JWT has three dot-separated parts: header, payload, and signature.
- Header defines token metadata, payload contains claims, and signature is used for verification.
Why developers use it
- You can quickly inspect expiration (`exp`) and issuer (`iss`) claims.
- Local decoding helps debug auth flows without sending tokens to external services.
- It speeds up API testing when token claim mismatches cause 401/403 responses.
Example
Sample JWT payload fields
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}JWT structure explained
A JWT has three Base64URL-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
HEADER PAYLOAD SIGNATURE- Header — algorithm used to sign the token (HS256, RS256, etc.).
- Payload — claims: who the user is, roles, expiry (exp), issued at (iat).
- Signature — verifies the token wasn't tampered with (requires the secret key).
You can decode header + payload without the secret. You cannot verify the signature without it.
Common JWT claims
| Claim | Meaning |
|---|---|
| sub | Subject — usually the user ID |
| exp | Expiry — Unix timestamp, token invalid after this |
| iat | Issued at — when the token was created |
| iss | Issuer — who issued the token |
| aud | Audience — intended recipient |
| roles | Custom — user permissions (not standard) |
The JWT Decoder shows all claims with human-readable timestamps for exp and iat.
Security note
Never decode JWTs from untrusted sources in production without verifying the signature. Decoding only reads the payload — it does not confirm the token is authentic.
For debugging and development, the apidevtools JWT Decoder is safe: it runs entirely in your browser, nothing is sent to a server.
How to use the tool
- Paste the token into the JWT input box.
- Click Decode to display header and payload as JSON.
- Copy header or payload for debugging and documentation.