If you've ever built a login system, connected to a REST API, or worked with OAuth, you've dealt with JWTs. They're everywhere in modern web development — and for good reason.
But here's something a lot of developers get wrong: when a JWT starts causing issues in production, the instinct is to Google "online JWT decoder," paste the token in, and see what's inside. That feels like a quick fix, but it can be a serious security mistake.
This guide explains exactly what a JWT is, what's inside one, and how to inspect tokens safely without putting your users or your application at risk.
What is a JSON Web Token (JWT)?
A JSON Web Token is an open standard (RFC 7519) that defines a compact and self-contained way to share information between two systems securely. Because the token is digitally signed, the receiving party can always verify that it hasn't been tampered with.
Every JWT is made up of three parts, joined by dots (.):
- Header — Contains the token type (
JWT) and the signing algorithm used, likeHS256orRS256. - Payload — Contains "claims": the actual data, such as user ID, roles, and when the token expires.
- Signature — A cryptographic hash that locks the header and payload together. If anyone changes even one character, the signature breaks and the token becomes invalid.
Each part is encoded using Base64Url — and this is important: Base64 is encoding, not encryption. Anyone who gets hold of your token can decode the header and payload immediately. Only the signature requires a secret key to verify.
Why You Should Never Decode JWTs on Unknown Websites
When you're debugging an auth issue, pasting your token into a random online decoder feels harmless. But consider what you're actually doing:
- Your token travels across the internet to their server.
- Their backend can log, store, or sell it. Tokens contain live session data.
- Active tokens can be replayed. A stolen JWT can be used to impersonate your users or gain admin access to your APIs.
The right approach is to decode tokens locally — directly in your own browser, with no network requests at all.
JWT Decoder
Decode and inspect JWT tokens securely. Check payload claims and expiration.
Step-by-Step: How JWT Decoding Works
Decoding the payload of a JWT in plain JavaScript is straightforward. Here's a simple function that does it:
function decodeJWT(token) {
try {
const parts = token.split('.');
if (parts.length !== 3) {
throw new Error("Invalid JWT structure");
}
const base64Url = parts[1];
const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
const jsonPayload = decodeURIComponent(
atob(base64)
.split('')
.map(c => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
.join('')
);
return JSON.parse(jsonPayload);
} catch (error) {
console.error("Failed to decode token:", error.message);
return null;
}
}
What You'll Find Inside the Payload
Once decoded, a standard JWT payload usually contains some or all of these fields:
sub— The subject: typically the unique user ID.iss— The issuer: who created the token (e.g., Auth0, Firebase, Cognito).exp— Expiry time: a Unix timestamp for when the token stops working.iat— Issued at: the timestamp when the token was first created.roles/scopes— What permissions the token grants.
Why Your Location Matters: GDPR, CCPA, and India's DPDP
JWT payloads often contain personal information — email addresses, user IDs, and role assignments. That means the way you handle them is regulated by law in many countries.
- In the EU, pasting tokens into external tools can breach GDPR Article 25, which requires data protection by design. Sending user data to an unknown third-party server without consent is a violation.
- In California (USA), CCPA considers sharing identifiable session data with outside parties as "selling" personal information — which triggers disclosure obligations.
- In India, the Digital Personal Data Protection (DPDP) Act requires organizations to avoid unnecessary exposure of personal data to external systems.
The simplest way to stay compliant everywhere? Keep decoding entirely in your browser. No data ever leaves your machine.
Best Practices for Secure JWT Implementation
A few habits that will save you headaches down the road:
- Always use HTTPS. Tokens sent over HTTP can be intercepted in transit.
- Keep payloads small. Don't stuff sensitive data into the token. Store only what's needed for authorization.
- Use HttpOnly cookies for storage. Storing JWTs in
localStoragemakes them vulnerable to XSS attacks. AnHttpOnlycookie is far safer. - Set short expiry times. Access tokens should expire in 15 minutes or less. Use refresh tokens for longer sessions.
Frequently Asked Questions
What is the JWT signature used for?
The signature verifies that nobody has altered the token in transit. It's created by hashing the header and payload using a secret key. If the payload is changed even slightly, the signature won't match and the token will be rejected.
Can I decode an encrypted JWT (JWE) locally?
Not with a standard decoder. JWE tokens encrypt the entire payload and require a private key to read. Standard JWTs (JWS) are only signed, not encrypted — their payloads are Base64 encoded and readable by anyone.
Is it safe to store JWTs in localStorage?
It's not recommended for sensitive applications. Any JavaScript on the page can read localStorage, which means XSS vulnerabilities can steal your tokens. An HttpOnly, SameSite cookie is a much safer option.
Does FluxToolkit store or log my decoded JWT token?
No. The JWT Decoder runs completely in your browser using JavaScript. Nothing is sent to our servers — not the token, not the decoded payload, nothing.
Related Articles
Base64 Encode and Decode: A Complete Developer's Guide — JWT payloads are Base64Url-encoded — this explains the encoding in depth.
Strong Passwords and Cryptographic Hashes — Understand the cryptographic principles behind JWT signatures.
JSON Formatter and Validator — Format the JSON payload you extract from a decoded JWT.
SHA-256 vs MD5 vs bcrypt: Which Hashing Algorithm? — JWTs use HMAC-SHA256 for signature verification — understand the algorithm.
Unix Timestamp Converter — JWT
iatandexpclaims are Unix timestamps.