Skip to main content
CheckTown
Dev Tools

JWT Decoder: Inspect and Debug JSON Web Tokens Online

Published 5 min read
In this article

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token used to represent claims between two parties. JWTs are the backbone of modern authentication and authorization systems — they are issued by servers after login and sent with subsequent API requests to prove identity.

A JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims/data), and the signature (integrity verification). The signature is created using a secret key or private key, making tokens tamper-evident.

How JWT Decoding Works

Decoding a JWT reveals its contents without verifying the signature — useful for debugging but not for security decisions.

  • Header decode — reveals the signing algorithm (HS256, RS256, etc.) and token type
  • Payload decode — exposes all claims including user ID, roles, expiration time, and custom data
  • Expiration check — calculates whether the token has expired based on the exp claim

Try it free — no signup required

Decode a JWT Token →

When To Use JWT Decoding

JWT decoding is essential during API development and debugging workflows.

  • API debugging — inspect token contents when requests fail with 401 or 403 errors
  • Integration testing — verify your auth server is embedding the correct claims in issued tokens
  • Token expiry diagnosis — quickly check whether authentication failures are caused by expired tokens

Frequently Asked Questions

Can I trust the decoded JWT content?

Decoding reveals the payload but does not verify the signature. Never make security decisions based on decoded token content unless you have verified the signature with the correct secret or public key. CheckTown's decoder is for inspection only.

What should I never put in a JWT payload?

Never store sensitive information like passwords, credit card numbers, or private keys in JWT payloads. JWTs are encoded not encrypted — anyone who intercepts the token can decode the payload without the signature key.

What is the difference between HS256 and RS256?

HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification. RS256 (RSA-SHA256) uses a private key for signing and a public key for verification. RS256 is preferred in distributed systems where many services need to verify tokens without access to the signing secret.

Related Tools

Hash Generator: MD5, SHA-256 and More — When to Use EachHashing is fundamental to security and data integrity. Learn which algorithm to choose and when.Read article → Base64 Encoding & Decoding: A Developer's Complete GuideBase64 is everywhere in web development. Learn how it works, when to use it, and common pitfalls.Read article → Password Strength Checker: Build Secure User AuthenticationWeak passwords are a leading cause of breaches. Learn how to measure password strength and enforce policies.Read article →
Back to Blog