JWT Tokens Explained: How to Decode and Debug Them

JWT tokens power most modern auth systems. Learn what's inside them and how to quickly decode and inspect any JWT.

JWT Tokens Explained: How to Decode and Debug Them

What is a JWT Token?

A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties. JWTs are most commonly used for authentication — after a user logs in, the server issues a JWT, and the client sends it with every subsequent request to prove identity.

The Structure of a JWT

A JWT consists of three parts separated by dots: header.payload.signature

Example JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

The header contains the token type and the signing algorithm used:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains the claims — data about the user and session:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1716239022
}

Common claims include:

  • sub — Subject (usually the user ID)
  • iat — Issued at (Unix timestamp)
  • exp — Expiry time (Unix timestamp)
  • iss — Issuer
  • aud — Audience

3. Signature

The signature verifies that the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key. You cannot verify the signature without the secret — but you can still decode the header and payload.

How JWT Authentication Works

  1. User logs in with credentials
  2. Server validates credentials and issues a signed JWT
  3. Client stores the JWT (in memory, localStorage, or a cookie)
  4. Client sends the JWT in the Authorization: Bearer <token> header with every request
  5. Server validates the signature and extracts the user identity

How to Decode a JWT

Since the header and payload are just Base64URL-encoded (not encrypted), you can decode any JWT without a secret key. This is useful for debugging — to check what claims are inside a token, whether it's expired, or what user ID it contains.

Use the free JWT Decoder at MockServer — paste your token and instantly see the decoded header, payload, and expiry status. Your token never leaves your browser.

Is it Safe to Decode a JWT Online?

Yes, as long as the tool runs in your browser (client-side only). MockServer's JWT decoder runs entirely in JavaScript in your browser — your token is never sent to any server. Always avoid pasting production JWT tokens into tools that send data to a backend.

JWT vs Session Tokens

  • Session tokens are opaque strings stored server-side. The server looks them up in a database on every request.
  • JWTs are self-contained. The server validates the signature and reads the claims without a database lookup — making them faster and stateless.

JWTs are preferred for microservices, mobile apps, and APIs. Sessions are preferred when you need to invalidate tokens immediately server-side.

Common JWT Debugging Scenarios

  • Token expired? Check the exp claim — it's a Unix timestamp. Our decoder shows this in human-readable format with an expiry warning.
  • Wrong user ID? Check the sub claim in the payload.
  • Wrong permissions? Check for a roles or scope claim in the payload.
  • Algorithm mismatch? Check the alg field in the header.

Try It Free

Use the free JWT Decoder at MockServer — paste any JWT and instantly inspect the header, payload, expiry time, and issued-at date. No signup, no server calls.