# JWT Decoder > Decode JSON Web Tokens to inspect headers and payloads without verification. Client-side only. **Category:** Dev **Keywords:** jwt, token, decode, security, auth, json, web token **URL:** https://complete.tools/jwt-decoder ## How it works The Jwt Decoder processes input JWTs by splitting them into their constituent parts: the header, payload, and signature. Each part is Base64Url encoded, which is a variation of Base64 encoding designed to be URL-safe. The tool decodes each part separately, converting the Base64Url strings into JSON objects for easy readability. The signature is then validated using the specified algorithm and key, ensuring the integrity of the token. If valid, the decoded data is displayed; if invalid, an error message is provided. ## Who should use this Web developers verifying the authenticity of tokens in authentication systems, security analysts assessing the integrity and claims of JWTs in API communications, and system administrators troubleshooting authentication issues related to token expiry or claims mismatch. ## Worked examples Example 1: Decode a JWT 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'. The header decodes to {'alg': 'HS256', 'typ': 'JWT'}, the payload to {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022}, and the signature verifies as valid. Example 2: For a JWT 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZUi6X2qX4w4bO2Y6l3v9W2Lz7kD9H5YXz24C1yWb0Z'. The header decodes to {'alg': 'RS256', 'typ': 'JWT'}, the payload to {'userId': '1234567890', 'role': 'admin', 'iat': 1516239022}, and the signature is checked using the public key, confirming its validity. ## Limitations Jwt Decoder has certain limitations, including: 1) It only decodes JWTs and does not verify claims against external databases, which may lead to false assumptions about a user's identity. 2) The tool relies on the correct algorithm being used for signature validation; incorrect algorithms may lead to false positives. 3) It does not handle malformed JWTs gracefully, potentially resulting in error messages without useful guidance. 4) The tool does not account for token expiration; users must manually check the 'exp' claim for validity. ## FAQs **Q:** What are the security implications of using JWTs? **A:** JWTs can be prone to attacks such as token theft or replay attacks if proper security measures, including HTTPS and secure storage, are not implemented. **Q:** How can I ensure the JWT signature is valid? **A:** The JWT signature is validated by using the specified algorithm and the appropriate secret or public key, ensuring the token has not been tampered with. **Q:** Can Jwt Decoder decode any token format? **A:** No, Jwt Decoder specifically decodes JSON Web Tokens (JWTs) and will not function with other token formats such as OAuth tokens or SAML assertions. **Q:** What claims are typically included in a JWT payload? **A:** Common claims include 'sub' (subject), 'iat' (issued at), 'exp' (expiration), and custom claims specific to the application, such as user roles. --- *Generated from [complete.tools/jwt-decoder](https://complete.tools/jwt-decoder)*