How to Decode a JWT Token
A JWT has 3 parts separated by dots: header.payload.signature. The header and payload are base64url-encoded JSON. JWTs are NOT encrypted -- anyone can read the payload. The signature verifies the token was not tampered with, but it does not hide the contents. Never store secrets or sensitive data in JWT payloads.
JWT Structure
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
|---- header ----| |------ payload ------| |------- signature -------|Decoded Header
{"alg": "HS256"}Decoded Payload
{"sub": "1234567890"}Decode in Code
JavaScript
function decodeJWT(token) {
const [header, payload] = token.split('.').slice(0, 2)
.map(part => JSON.parse(atob(part.replace(/-/g, '+').replace(/_/g, '/'))));
return { header, payload };
}
decodeJWT('eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgN...');
// { header: {alg: "HS256"}, payload: {sub: "1234567890"} }Command Line
# Decode payload (second part)
echo 'eyJzdWIiOiIxMjM0NTY3ODkwIn0' | base64 --decode
# {"sub":"1234567890"}Common JWT Claims
| Claim | Name | Description |
|---|---|---|
sub | Subject | User ID or entity |
iat | Issued At | Unix timestamp of creation |
exp | Expiration | Unix timestamp when token expires |
iss | Issuer | Who issued the token |
aud | Audience | Intended recipient |
Try It Yourself
Use our JWT Decoder to decode and inspect any JWT token instantly.
Frequently Asked Questions
Is a JWT token encrypted?
No. Standard JWTs (JWS) are only signed, not encrypted. Anyone can decode and read the payload. Use JWE (JSON Web Encryption) if you need encrypted tokens.
What is the difference between JWT and JWE?
JWT (JWS) is signed but readable by anyone. JWE is both signed and encrypted, so only the intended recipient can read the payload. Most APIs use JWS.