What Is a JWT Token and How Does It Work?
JSON Web Token (JWT) is an open standard defined in RFC 7519 that provides a compact, URL-safe means of representing claims to be transferred between two parties. A JWT is digitally signed — using either a symmetric algorithm (HMAC SHA-256) or an asymmetric algorithm (RSA or ECDSA) — which allows the receiving party to verify its authenticity without contacting an authorization server. JWTs are now the backbone of modern authentication systems, used by OAuth 2.0, OpenID Connect, and countless REST API frameworks including Firebase, Auth0, AWS Cognito, and Supabase.
A JWT consists of three Base64URL-encoded sections joined by dots: the Header, the Payload, and the Signature. The Header declares the signing algorithm and token type. The Payload carries the claims — structured assertions about an entity such as a user ID, issued-at timestamp, expiry time, and custom roles. The Signature is generated by hashing the encoded Header and Payload together with a secret key, making any tampering immediately detectable.
How to Decode a JWT Using This Tool
Paste any JWT string (in the format xxxxx.yyyyy.zzzzz) into the input field. The tool instantly splits the token at its dot separators, Base64URL-decodes each segment, and displays the parsed JSON for the Header and Payload side by side. The expiry claim (exp) is automatically converted from a Unix timestamp to a human-readable countdown, so you can immediately tell whether the token is still valid or has expired. Click Clear Input to reset the form.
Is It Safe to Paste My JWT Token Online?
Yes — with this tool it is completely safe. Plobi-kit's JWT Decoder operates 100% inside your browser using client-side JavaScript. Your token string is never sent to any server, logged, or cached anywhere outside your local browser tab. This is critically important because JWTs often contain sensitive identity claims (user IDs, email addresses, roles, and custom permissions). Unlike many online decoders that process tokens server-side, this tool works entirely offline after the page has loaded.
Common Use Cases for JWT Decoding
- Debugging Authentication Flows: When an API request returns a 401 Unauthorized response, inspect your bearer token's claims (
sub,aud,scope) to identify whether the wrong token is being sent or the correct claims are missing. - Verifying Token Expiry: Check the
exp(expiration) andiat(issued-at) claims to confirm whether a cached token is still valid before making a new authentication request. - Inspecting Third-Party SSO Tokens: When integrating with Google Sign-In, GitHub OAuth, or enterprise SAML providers, decode the returned ID token to confirm which user attributes are included in the payload before implementing your user profile logic.
Frequently Asked Questions
Q: Can this tool verify the JWT signature?
A: No. Signature verification requires your private secret key, which you should never share or paste into a third-party tool. This decoder only decodes the Header and Payload sections — it does not validate the signature cryptographically. For signature verification, use your backend SDK (e.g., jsonwebtoken in Node.js or PyJWT in Python).
Q: What is the difference between JWT and a session cookie?
A: Traditional session cookies store only a session ID, with all session state kept on the server. JWTs are self-contained — the server can verify a token's authenticity without a database lookup, making them ideal for stateless, distributed, and microservice architectures where multiple servers need to authenticate the same user.
Q: Why does my JWT payload not contain my password?
A: JWTs should never contain passwords or secrets. The Payload is Base64URL-encoded, not encrypted — anyone who intercepts the token can read its claims. Always transmit JWTs over HTTPS, and store them in secure, HttpOnly cookies to prevent JavaScript-based attacks.