How to Decode JWT Tokens Safely

Decoding a JWT is just Base64 decoding two strings. The risky part is where you paste the token while you do it. A token in the wrong text box can be logged, emailed, or stored in a third-party service for as long as that service keeps records.

1. Understand the three parts

A JWT is three Base64-URL-encoded segments separated by dots: header, payload, and signature. The first two are JSON. The third is a cryptographic signature over the first two.

// header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIn0.
AxwiNyXkqkz4cRFnK8aP_5wKR3...

2. Decode locally, not in a service that logs paste data

You can decode in a few lines of JavaScript:

function decodeJwt(token) { const [header, payload] = token.split('.').slice(0, 2); return { header: JSON.parse(atob(header.replace(/-/g, '+').replace(/_/g, '/'))), payload: JSON.parse(atob(payload.replace(/-/g, '+').replace(/_/g, '/'))), };
}

The character substitutions convert from Base64-URL to standard Base64 so atob can handle it.

3. Decoding is not validation

Decoding tells you what the token claims. It does not prove the token is real. Validation requires the signing secret (HS algorithms) or the issuer's public key (RS, ES algorithms). Without that, anyone could mint a token with any claims they want, and your decoder would happily print them.

4. Watch the expiration

Always read exp when you debug authentication issues. A token that decodes cleanly but is hours past exp still gets rejected by the server.

When to switch to the browser tool

For one-off inspections, use JWT Decoder. It runs entirely in the browser, so the token is not transmitted anywhere. Pair it with Timestamp Converter to read iat, exp, and nbf as readable dates.

For more utility entry points, browse Developer Utility Tools.