JWTs (JSON Web Tokens) show up everywhere in modern apps — OAuth logins, API gateways, microservices, and session cookies. When auth breaks at 2 AM, you need to read the token fast.
What is a JWT?
A JWT has three Base64URL-encoded parts separated by dots:
header.payload.signature
- Header — algorithm (
alg) and token type (typ) - Payload — claims like
sub,exp,iat,roles - Signature — proves the token wasn't tampered with (requires the secret key)
Decoding shows header and payload. Verifying the signature needs your server's secret — online decoders don't do that.
When to decode a JWT
- Debug 401 Unauthorized or 403 Forbidden responses
- Check if
exp(expiration) has passed - Inspect
iss(issuer) andaud(audience) mismatches - Verify roles/scopes in the payload match what your API expects
- Compare a token from staging vs production
Decode JWT in your browser (free)
The VyomaStack JWT Decoder runs 100% in your browser — nothing is sent to a server.
1. Paste your JWT into the input field 2. See decoded header and payload as formatted JSON 3. Check expiration, issued-at, and custom claims at a glance
Common JWT claims
| Claim | Meaning |
sub | Subject (user ID) |
exp | Expiration time (Unix timestamp) |
iat | Issued at |
iss | Issuer |
aud | Audience |
roles / scope | Permissions |
Security rules
- Never paste production tokens with sensitive PII into untrusted sites
- VyomaStack processes locally — still redact tokens in screenshots and bug reports
- Decoding ≠ verifying — a forged payload decodes fine; only signature verification catches tampering
- Rotate secrets if a token with elevated claims leaks
JWT decoder vs jwt.io
Both decode locally. VyomaStack keeps JWT debugging alongside your other dev tools — SQL, JSON, regex, cron — in one workspace with no account.
Related tools
- Base64 Encoder — JWT parts are Base64URL-encoded
- Hash Generator — checksum API keys and secrets
Try it now
Paste a JWT and inspect claims in seconds — no login required.