2026-06-10
What is JWT and how to decode it safely
Understand JWT structure, decoding, claims, and the difference between decoding and verifying a token.
JWT stands for JSON Web Token. A typical JWT has three parts: header, payload, and signature. The header and payload are Base64URL encoded JSON. The signature is used by servers to verify integrity.
Use the JWT Decoder to inspect claims locally. You can also use the Base64 Encoder/Decoder to understand how encoded segments work.
Decode is not verify
Decoding makes the header and payload readable. It does not prove the token is valid, trusted, or unmodified. Verification requires the correct cryptographic key and algorithm.
Safety advice
Avoid pasting production bearer tokens into tools you do not control. Even with browser-local tools, handle credentials deliberately and redact sensitive values in screenshots.