Learn what a JSON Web Token (JWT) contains, how to decode it to read the payload, and how to verify its structure without a library.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It was standardized in RFC 7519 and has become the default token format for modern APIs and single-sign-on (SSO) flows. The token is a single string that encodes a small JSON object along with a cryptographic signature — anyone receiving the token can read its contents, but only someone with the signing key can produce a valid token. That property makes JWTs ideal for stateless authentication: servers no longer need to keep session state, because the token itself carries the claims (user id, scopes, expiry).
Where JWTs are used
API authentication
A client logs in once and receives a JWT; every subsequent request sends the token in the Authorization: Bearer header. The API verifies the signature and trusts the claims without a database lookup.
Single sign-on (SSO)
OpenID Connect builds on JWT. An identity provider issues an ID token describing the user; downstream apps trust it because the signature can be verified against a public JWKS endpoint.
Short-lived delegated access
JWTs work well for one-off URLs (password reset, email confirmation, signed download links). The expiry claim (exp) means the link automatically stops working after a set time.
Guide étape par étape
Understand JWT structure
A JWT has three Base64URL-encoded parts separated by dots: Header.Payload.Signature. The header specifies the algorithm, the payload contains claims (data), and the signature verifies integrity.
Decode the header
Take the first part (before the first dot), Base64URL-decode it. You'll get a JSON object like: {"alg":"HS256","typ":"JWT"}. This tells you the signing algorithm used.
Decode the payload
Take the second part, Base64URL-decode it. You'll see claims such as: sub (subject/user ID), exp (expiration Unix timestamp), iat (issued at), iss (issuer), and custom claims.
Check expiration
The exp claim is a Unix timestamp. Compare it to the current time to see if the token is still valid. Example: exp: 1700000000 = November 14, 2023, 22:13 UTC.
Use our JWT Decoder
Paste your JWT into the JWT Decoder tool. It instantly shows the decoded header, payload, and signature section in formatted JSON — no server required, everything runs in your browser.
Essayer notre outil gratuit
JWT Decoder
Questions fréquentes
Q: Is it safe to decode a JWT in the browser?
A: Yes — decoding (reading the payload) is safe. JWTs are Base64URL-encoded, not encrypted. Never share your JWT with untrusted third-party websites, as the token grants access.
Q: Can I verify the JWT signature without the secret?
A: No. Signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA). Our decoder shows the structure but cannot verify the signature without the key.
Q: What does "JWT expired" mean?
A: It means the exp timestamp is in the past. The server rejects expired tokens. You'll need to refresh or re-authenticate to get a new token.