Read the `exp` and `iat` claims
A decoded payload lets you confirm whether a token is already expired or issued in the expected time window.
header.payload.signature Security & Auth 7 min read 2026-03-16
How to Decode a JWT Token Safely
Understand the structure of a JWT, decode header and payload locally, and avoid common mistakes when inspecting tokens.
Intro
A JWT can look opaque at first glance, but its first two sections are only Base64URL-encoded JSON. Decoding them is usually enough to inspect claims, expiration times, audiences, and token metadata.
The important caveat is that decoding does not verify trust. You can read a token without validating its signature.
What is it?
A JWT, or JSON Web Token, is a compact token format built from three dot-separated parts: header, payload, and signature.
The header describes the token type and algorithm, the payload contains claims, and the signature protects integrity.
Why it matters
- Decoding JWTs helps debug login flows, broken claims, or incorrect expiration times.
- It lets you inspect token contents without sending them to third-party services.
- Understanding the structure reduces confusion between decoding and verifying.
Examples
Inspect audience and issuer
Mismatch in `aud` or `iss` is a common cause of authentication failures between environments.
Common mistakes
- Assuming a decoded token is automatically valid.
- Pasting tokens into remote tools when claims are sensitive.
- Ignoring timezone conversion when checking `exp` and `nbf` values.
- Forgetting that the signature cannot be reversed into a secret.
FAQ
Does decoding a JWT verify the signature?
No. Decoding only reveals the header and payload. Signature verification requires the right secret or public key.
Can I decode a JWT without a secret?
Yes. Reading header and payload does not require the signing key. Only verification does.