How to Decode a JWT Token and Read Its Contents in Plain Text

Guides · Developer · Updated 2026

JSON Web Tokens (JWTs) are everywhere — they secure API calls, authenticate users, and carry claims between services. But the token itself looks like a random string of characters. Toolzo’s free JWT Decoder instantly breaks down any JWT into its header, payload, and expiry date, all without needing the secret key. This guide explains how JWTs are structured and how to decode them safely.

What’s inside a JWT?

A JWT consists of three Base64Url‑encoded parts separated by dots: header.payload.signature. The header typically declares the algorithm (HS256, RS256). The payload carries claims like user ID, role, and an expiration timestamp (exp). The signature verifies the token hasn’t been tampered with, but it requires a secret. Our decoder only reads the public parts — no verification needed — so you can inspect what information the token exposes.

Step‑by‑step: decode any JWT

  1. Open the JWT Decoder tool.
  2. Paste your JWT string into the textarea and click “Decode”.
  3. The header and payload appear as formatted JSON in separate panels.
  4. Below the panels, a message shows whether the token has expired and how much time remains (or how long ago it expired).
💡 Tip: If you see an exp claim, the tool converts the Unix timestamp into a human‑readable local date, so you know exactly when the session ends.

Understanding the payload claims

Common claims include sub (subject — the user ID), iat (issued at), and aud (audience). Knowing these helps you troubleshoot authorization errors. For example, if the exp has passed, the token is invalid and the API will reject it. If you’re working with JWTs that carry large amounts of data, you might also want to convert the JSON payload to CSV using our CSV to JSON converter, or format the JSON with the Code Minifier’s beautify mode.

Frequently Asked Questions

Does this tool verify the signature?

No, it only decodes the public parts. Verification requires the secret or public key, which this tool never asks for.

Is it safe to paste a real JWT into the tool?

Yes — all processing is client‑side. The token never leaves your browser.

What if my JWT has a different structure?

As long as it follows the three‑part Base64Url format, it will decode correctly.

Can I decode an encrypted JWT (JWE)?

No, this decoder works only with signed (JWS) tokens, not encrypted ones.

Why does the tool say my token is expired?

It compares the exp timestamp with your system clock. Time‑zone differences are handled automatically.

Try the JWT Decoder
Home / Blog / Decode JWT