How to Decode and Inspect JWT Tokens
How to Decode JWT Tokens
Understanding how to decode and inspect JWT tokens is essential for debugging authentication issues and verifying token contents.
Understanding JWT Structure
A JWT looks like this:
`` xxxxx.yyyyy.zzzzz
`
Each part is Base64URL encoded:
- xxxxx: Header
- yyyyy: Payload
- zzzzz: Signature
Manual Decoding Steps
Step 1: Split the Token
Separate the token into three parts using the dot (.) as a delimiter.
Step 2: Base64URL Decode
Each part uses Base64URL encoding (URL-safe Base64). To decode:
with + with /) if neededStep 3: Parse JSON
The decoded header and payload are JSON strings. Parse them to view the claims.
Using JWTSpark to Decode Tokens
The easiest way to decode JWTs is using our online tool:
What to Look For
In the Header
- alg: Verify it matches your expected algorithm
- typ: Should be "JWT"
- kid: Key ID if using key rotation
In the Payload
- exp: Expiration time (Unix timestamp)
- iat: Issued at time
- sub: Subject (usually user ID)
- iss: Issuer
- aud: Audience
- Custom claims specific to your application
Verifying Token Expiration
Compare the exp claim with the current Unix timestamp:
`javascript
const isExpired = Date.now() >= payload.exp * 1000;
`
Common Issues When Decoding
Invalid Characters
Some tokens may have URL-unsafe characters. Ensure proper Base64URL decoding.
Missing Padding
Base64 requires padding, but JWTs often omit it. Add =` characters as needed.
Malformed JSON
If parsing fails, the token may be corrupted or not a valid JWT.
Security Note
Decoding a JWT only reveals its contents - it doesn't verify the signature. Always validate the signature server-side before trusting the claims.
Use JWTSpark to quickly decode and inspect your tokens during development and debugging!