DeveloperApril 2026 · 5 min read

How to Decode a JWT Token (Without the Secret)

JWTs are encoded, not encrypted — anyone can read the payload without the secret key. Decoding a JWT is essential for debugging authentication issues, inspecting token claims, and verifying that tokens contain the expected data. The secret is only needed to verify the signature, not to read the contents.

🔑

Designer & Developer

In this guide

01Decoding a JWT Manually02Decoding in JavaScript03What to Look for in a Decoded JWT04Decoding vs Verifying

⚡ Key Takeaways

Decode any JWT token to inspect its header, payload, and claims.
Covers decoding a jwt manually.
Covers decoding in javascript.
What to Look for in a Decoded JWT.
Covers decoding vs verifying.

Decoding a JWT Manually

A JWT has three parts separated by dots. Each part is Base64URL-encoded. To decode:

1. Split the token by dots to get header, payload, and signature.

2. Base64URL-decode the first part (header) — it shows the algorithm and token type.

3. Base64URL-decode the second part (payload) — it contains the claims (user ID, expiration, roles, etc.).

4. The third part (signature) is binary and not human-readable.

In JavaScript: JSON.parse(atob(token.split('.')[1]))

Decoding in JavaScript

The simplest JavaScript decoder:

💡 Tip

Use 3+ color stops instead of 2 to avoid the muddy gray band that appears in the center of complementary-color gradients.

function decodeJWT(token) {

const [header, payload] = token.split('.').slice(0, 2)

.map(part => JSON.parse(atob(part.replace(/-/g, '+').replace(/_/g, '/'))));

return { header, payload };

}

Note the character replacements: JWT uses Base64URL encoding (- instead of +, _ instead of /), while atob() expects standard Base64. The replace calls handle this conversion.

What to Look for in a Decoded JWT

Key claims to inspect: sub (who the token is about — usually a user ID), exp (expiration as a Unix timestamp — convert to a date to check if it's expired), iat (when it was issued), iss (who issued it), aud (intended audience), and any custom claims like roles or permissions. If exp is in the past, the token is expired. If iss doesn't match your expected issuer, the token may be from a different system.

⚠ Warning

CSS gradients used as backgrounds cannot be animated with standard transitions. Use background-size animation or @property registered custom properties instead.

Decoding vs Verifying

Decoding a JWT only reads the payload — it doesn't verify the signature. A decoded token tells you what claims it carries, but it doesn't confirm the claims are legitimate. Never trust a decoded-but-unverified JWT for authorization decisions. Always verify the signature server-side using the signing secret (HS256) or public key (RS256). The JWT Decoder tool decodes tokens instantly — paste any JWT and see the header, payload, and expiration status.

Frequently Asked Questions

Can I decode a JWT without the secret key?+

Yes. JWTs are encoded (Base64URL), not encrypted. Anyone can decode and read the header and payload. The secret key is only needed to verify the signature — to confirm the token hasn't been tampered with.

How do I check if a JWT is expired?+

Decode the token and look at the exp claim. It's a Unix timestamp (seconds since January 1, 1970). Compare it to the current time. If exp is in the past, the token is expired.

Is it safe to decode JWTs in the browser?+

Yes, for inspection purposes. Decoding just reads the payload — it doesn't expose the signing secret. But never make authorization decisions based on a decoded-but-unverified token.

Try it yourself

Use the JWT Decoder — free, no signup required.

⚡ Open JWT Decoder

Derek Giordano

Written by the creator of Ultimate Design Tools. BA in Business Marketing.

📚 References & Further Reading