SnapSum
← Back to Blog
Developer4 min read

JWT Decoder - How to Read and Debug JSON Web Tokens

JSON Web Tokens (JWTs) are the backbone of modern authentication. If you are building or debugging an API, you will inevitably need to inspect a token - check its expiration, verify claims, or debug why authentication is failing. Here is how JWTs work and how to decode them for free.

What Is a JWT?

A JWT is a compact, URL-safe token consisting of three Base64URL-encoded parts separated by dots:

  • Header - algorithm and token type (e.g., {"alg":"HS256","typ":"JWT"})
  • Payload - the claims/data (e.g., user ID, roles, expiration)
  • Signature - verifies the token has not been tampered with

Example: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxfQ.abc123

Common JWT Claims

  • iss (issuer) - who issued the token
  • sub (subject) - who the token is about (usually user ID)
  • aud (audience) - intended recipient
  • exp (expiration) - when the token expires (Unix timestamp)
  • iat (issued at) - when the token was created
  • nbf (not before) - token is not valid before this time
  • jti (JWT ID) - unique identifier for the token

Free Online JWT Decoder

Use SnapSum JWT Decoder to decode and inspect JWTs in your browser. The header and payload are decoded locally - your token never leaves your device.

  • Paste any JWT and instantly see decoded header and payload
  • Unix timestamps (exp, iat, nbf) are converted to readable dates
  • Token validity check (expired or not)
  • No server-side processing - your tokens stay private

Step-by-Step: Decode a JWT

  1. Open JWT Decoder.
  2. Paste your JWT token.
  3. View the decoded header and payload instantly.
  4. Check expiration and other time-based claims.

Security Warning: JWTs Are Not Encrypted

The header and payload of a JWT are Base64URL-encoded, not encrypted. Anyone who has the token can read its contents - just like Base64, it is encoding, not encryption. Never put sensitive data (passwords, SSNs, API keys) in a JWT payload.

The signature only guarantees integrity (the token has not been modified), not confidentiality (the contents are readable).

Common JWT Issues

  • Token expired - check the exp claim. If it is in the past, the token is invalid.
  • Wrong audience - the aud claim must match the expected audience.
  • Algorithm mismatch - the alg in the header must match what your server expects. Beware of the "none" algorithm attack.
  • Clock skew - if client and server clocks are off, tokens may appear expired prematurely.

JWT vs. OAuth Tokens

JWT is a token format. OAuth is an authorization framework. OAuth often uses JWTs as access tokens, but OAuth tokens can also be opaque strings. Not every JWT is an OAuth token, and not every OAuth token is a JWT.