What is a JWT Token?
A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties. JWTs are most commonly used for authentication — after a user logs in, the server issues a JWT, and the client sends it with every subsequent request to prove identity.
The Structure of a JWT
A JWT consists of three parts separated by dots: header.payload.signature
Example JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
1. Header
The header contains the token type and the signing algorithm used:
{
"alg": "HS256",
"typ": "JWT"
}
2. Payload
The payload contains the claims — data about the user and session:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1716239022
}
Common claims include:
sub— Subject (usually the user ID)iat— Issued at (Unix timestamp)exp— Expiry time (Unix timestamp)iss— Issueraud— Audience
3. Signature
The signature verifies that the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key. You cannot verify the signature without the secret — but you can still decode the header and payload.
How JWT Authentication Works
- User logs in with credentials
- Server validates credentials and issues a signed JWT
- Client stores the JWT (in memory, localStorage, or a cookie)
- Client sends the JWT in the
Authorization: Bearer <token>header with every request - Server validates the signature and extracts the user identity
How to Decode a JWT
Since the header and payload are just Base64URL-encoded (not encrypted), you can decode any JWT without a secret key. This is useful for debugging — to check what claims are inside a token, whether it's expired, or what user ID it contains.
Use the free JWT Decoder at MockServer — paste your token and instantly see the decoded header, payload, and expiry status. Your token never leaves your browser.
Is it Safe to Decode a JWT Online?
Yes, as long as the tool runs in your browser (client-side only). MockServer's JWT decoder runs entirely in JavaScript in your browser — your token is never sent to any server. Always avoid pasting production JWT tokens into tools that send data to a backend.
JWT vs Session Tokens
- Session tokens are opaque strings stored server-side. The server looks them up in a database on every request.
- JWTs are self-contained. The server validates the signature and reads the claims without a database lookup — making them faster and stateless.
JWTs are preferred for microservices, mobile apps, and APIs. Sessions are preferred when you need to invalidate tokens immediately server-side.
Common JWT Debugging Scenarios
- Token expired? Check the
expclaim — it's a Unix timestamp. Our decoder shows this in human-readable format with an expiry warning. - Wrong user ID? Check the
subclaim in the payload. - Wrong permissions? Check for a
rolesorscopeclaim in the payload. - Algorithm mismatch? Check the
algfield in the header.
Try It Free
Use the free JWT Decoder at MockServer — paste any JWT and instantly inspect the header, payload, expiry time, and issued-at date. No signup, no server calls.