The Authorization header in your API request contains a long dot-separated string starting with eyJ.... That's a JSON Web Token — a JWT. A jwt decoder splits it apart and shows you what's inside. This guide covers the three parts, how to read them, and what to watch out for.
What Is a JWT and Where You'll See One
A JWT is a compact token for passing claims between a client and a server. The token carries its own data — the server doesn't need a database lookup to know who you are.
You'll encounter JWTs in Authorization: Bearer <token> headers, OAuth 2.0 access tokens, and single sign-on flows.
The Three Parts: Header, Payload, Signature
Every JWT has three sections separated by dots: header.payload.signature. Each is base64url-encoded — decode them and you get plain JSON.
Header
{ "alg": "HS256", "typ": "JWT" }
The token type (JWT) and the signing algorithm (HS256 for HMAC-SHA256, RS256 for RSA).
Payload
{
"sub": "user_123",
"role": "admin",
"iat": 1742313600,
"exp": 1742400000
}
The payload holds claims about the user. Standard claims: sub (user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience). Custom fields like role live here too. Paste complex payloads into the JSON Formatter.
Signature
A hash of the encoded header plus payload, computed with a secret key. Change one character and the signature breaks. The signature does not encrypt the payload — anyone can read a JWT, only the server can verify it.
How to Decode a JWT
Paste your token into the SnipKit JWT Decoder. It splits all three sections, decodes each one, and shows expiration as a human-readable date. No signup, no server call.
In code, the trick is atob() in JavaScript or base64.urlsafe_b64decode() in Python — split by dots, decode the second segment, parse as JSON. But for quick checks — expired tokens, unexpected claims in a bug report — the JWT Decoder is faster.
Common Mistakes and Security Gotchas
Trusting the payload without verifying the signature. Client-side decode is fine for display. Server-side, always verify the signature before acting on any claim.
The alg: none attack. Some libraries accept "alg": "none", skipping verification. An attacker can forge any payload. Ensure your library rejects none by default.
Storing tokens in localStorage. Any script on your page can read it, including injected ones. Prefer HttpOnly cookies for long-lived tokens.
Ignoring exp. Always check expiration server-side. The JWT Decoder shows this in plain English so you can spot stale tokens instantly.
FAQ
Is it safe to decode a JWT online?
Yes — JWT payloads are base64-encoded, not encrypted, so decoding reveals nothing that isn't already readable. Just avoid pasting production tokens into unknown sites. The SnipKit JWT Decoder runs entirely in your browser — no data leaves your machine.
What happens when a JWT expires?
The server checks the exp claim on every request. Once exp is in the past, the server returns 401 Unauthorized. The client must re-authenticate or use a refresh token to get a new JWT.
What's the difference between JWT and session cookies?
A session cookie stores an opaque ID the server looks up in a database. A JWT carries the data inside the token — no lookup needed. JWTs scale across servers easily, but you can't revoke one before it expires. Session records can be deleted instantly.
Wrapping Up
JWTs show up in nearly every API you'll work with. Knowing the three-part structure — header, payload, signature — lets you read tokens at a glance and catch issues before they become support tickets.
Next time you see a dot-separated string in an auth header, run it through the SnipKit JWT Decoder. Full payload in one click.