JWT Training

How JWT decoding works.

JWT tokens are used everywhere in modern web applications. Understanding how to read and decode them is useful for debugging authentication, APIs, sessions, and frontend development workflows.

What is a JWT?

JWT stands for JSON Web Token. It is a compact string format commonly used for authentication and authorization.

Applications often store JWT tokens after login and send them with API requests to identify the user.

JWT structure

A JWT contains three parts separated by dots:

header.payload.signature

Header

Contains token metadata like algorithm and token type.

Payload

Contains claims such as user id, role, expiration, and permissions.

Signature

Used to verify that the token was not modified.

Example payload

The payload usually contains information about the authenticated user:

{
  "sub": "1234567890",
  "name": "Ihor",
  "role": "developer",
  "iat": 1714560000,
  "exp": 1893456000
}

Common claims:

sub — subject / user id
iat — issued at timestamp
exp — expiration timestamp
role — application role

How decoding works

JWT headers and payloads are usually encoded using Base64URL.

Decoding a JWT simply means converting those encoded parts back into readable JSON.

Important: decoding a JWT does not verify that the token is valid or trusted.

Security warning

Never paste sensitive production tokens into random online tools.

A safe JWT decoder should work entirely in the browser without sending tokens to a backend.

Try the tool

Decode a JWT token instantly

Use the DevDrills JWT Decoder to inspect token headers, payloads, expiration dates, and claims directly in your browser.

Open JWT Decoder