If you work with APIs or authentication, you've run into long strings starting with eyJ.... These are JWTs (JSON Web Tokens), the most used standard for authenticating requests. This guide explains how they're built, how to decode them and what you should and shouldn't put inside.
What is a JWT
A JWT is a compact token that carries information (claims) between two parties in a verifiable way. It's mostly used for authentication: when you log in, the server gives you a JWT, and you send it with each request to prove who you are, without the server having to store your session.
The structure: three parts
A JWT has three parts separated by dots: header.payload.signature.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQW5hIn0.X3k...
1. Header
States the signing algorithm and the type. Encoded in Base64URL:
{ "alg": "HS256", "typ": "JWT" }
2. Payload
Contains the claims: the token's data. Also in Base64URL:
{ "sub": "123", "name": "Ana", "exp": 1735689600 }
Common standard claims: sub (subject/user), exp (expiration), iat (issued at), iss (issuer).
3. Signature
This is what makes the token verifiable. It's computed by signing the header and payload with a secret key. If someone modifies the payload, the signature no longer matches and the token is rejected.
The key point: decoding ≠ verifying
Here's the most dangerous misunderstanding. The header and payload are NOT encrypted, just Base64-encoded. Anyone can decode and read them. The signature hides nothing: it only guarantees that no one has modified it.
Direct consequence: never put sensitive data in a JWT payload (passwords, private personal data, card numbers). Anyone holding the token can read them.
How to decode a JWT
Decoding a JWT means splitting its parts and turning the header and payload from Base64URL into readable JSON:
- Paste the full token.
- The tool splits on the dots.
- It decodes header and payload and shows them as JSON.
- You can see the claims, the expiration, the algorithm…
You can do it free with the JWT decoder on this site, which decodes everything in your browser: the token is never uploaded to any server (important, since a JWT is a credential).
Common JWT mistakes
- Storing sensitive data in the payload: it's readable by anyone.
- Not checking expiration (
exp): an expired token must be rejected. - Trusting a token without verifying the signature on the server: decoding is not validating.
- Storing the JWT in localStorage without thinking about XSS: consider httpOnly cookies depending on your case.
Frequently asked questions
Is a JWT encrypted? Not by default. It's signed and Base64-encoded, but its content is readable. (JWE exists to encrypt it, but it's less common.)
Can I trust what I read when decoding it? To see the content, yes; to trust it, the server must verify the signature with the secret key.
Is it safe to paste my JWT into an online decoder? Only if it decodes locally. A JWT is an active credential; don't paste it into sites that send it to a server.
Which signing algorithm should I use? HS256 (symmetric key) for simple cases; RS256 (key pair) when several services verify tokens issued by another.
Decode and inspect your tokens instantly with the free JWT decoder, 100% in your browser and without the token leaving your device.