What is a JWT?

A JSON Web Token is a compact, URL-safe means of representing claims between two parties. It’s three base64url-encoded parts joined by dots: header, payload, and signature.

The header and payload are just JSON — you can decode them with any JSON parser. The signature is opaque bytes derived from a secret or key, used by the receiver to verify the token wasn’t tampered with.

When do you need to decode one?

• You’re debugging an auth flow and the API keeps returning 401.
• You want to know when a token expires.
• You want to read the user identity (the sub claim) out of a session token.
• You’re inspecting tokens issued by a third-party identity provider.

Privacy promise

Decoding happens entirely in your browser. Nothing is sent to a server, ever. There’s no analytics on this page that captures the token. Close the tab and the token is gone.