JSON Web Tokens (JWTs) are everywhere in modern authentication, from OAuth flows to API keys. When something goes wrong, you often just need to see what is inside the token. The ToolOrbit JWT Decoder splits a token into its parts and shows you the header and payload in readable JSON, entirely within your browser.
The three parts of a JWT
A JWT is three Base64URL-encoded sections joined by dots: the header, the payload, and the signature. The header describes the signing algorithm, the payload carries the claims, and the signature lets a server confirm the token has not been tampered with.
header.payload.signature eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3...}.SflKxw...
Reading the claims
- sub: the subject, usually the user or account the token represents
- exp: expiry as a Unix timestamp; the token is invalid after this moment
- iat: issued-at time, useful for spotting clock skew or stale tokens
- iss and aud: the issuer and intended audience, which a verifier should check
- Custom claims: roles, scopes, tenant IDs, and other app-specific data
The decoder highlights the expiry so you can immediately tell whether a token is still valid, which is one of the most common debugging questions.
Using the JWT Decoder safely
Paste a token to see its header and payload instantly. Because decoding happens locally and the payload of a JWT is not encrypted, anyone holding the token can read it. Treat tokens like passwords: do not paste production tokens into untrusted online tools. ToolOrbit keeps everything in your browser, but the habit matters everywhere.
Best practices
Keep payloads small and avoid putting sensitive personal data in claims, since they are merely encoded, not hidden. Set short expiries, validate iss and aud on the server, and remember that the only thing standing between a forged token and your API is a proper signature check.