How to Read and Decode JWT Tokens Online (Beginner's Guide)

If you've ever worked with web APIs, single-page applications, or microservices, you've likely encountered JWT (JSON Web Tokens). They look like long strings of random characters separated by dots — and at first glance, they're completely unreadable. But JWTs are actually quite simple once you understand their structure. This guide will teach you how to read, decode, and understand JWT tokens, even if you have no prior experience.

What Is a JWT?

JWT stands for JSON Web Token. It's an open standard (RFC 7519) for securely transmitting information as a JSON object. JWTs are compact, URL-safe, and self-contained — meaning all the necessary information is stored within the token itself.

JWTs are most commonly used for:

• Authentication — After a user logs in, the server issues a JWT that the client includes with subsequent requests to prove their identity.
• Authorization — The JWT contains claims about what the user is allowed to do (roles, permissions).
• Information Exchange — JWTs can securely carry data between parties, verified by a digital signature.

The Structure of a JWT

A JWT consists of three parts, separated by dots (.):

xxxxx.yyyyy.zzzzz
Header . Payload . Signature

Each part is Base64URL-encoded. Let's break them down.

1. The Header

The header typically contains two fields: the token type (typ) and the signing algorithm (alg).

{
  "alg": "HS256",
  "typ": "JWT"
}

Common algorithms include HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), and ES256 (ECDSA with SHA-256).

2. The Payload

The payload contains the claims — statements about the entity (usually the user) and additional metadata. There are three types of claims:

• Registered claims — Predefined names like iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and jti (unique identifier).
• Public claims — Custom claims defined by you or a community standard.
• Private claims — Custom claims for sharing information between parties.

Example payload:

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "role": "admin",
  "iat": 1744176000,
  "exp": 1744262400
}

3. The Signature

The signature is created by encoding the header and payload, concatenating them with a dot, and signing the result with a secret key (HMAC) or private key (RSA/ECDSA).

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

The signature ensures the token hasn't been tampered with. If even one character changes in the header or payload, the signature verification will fail.

How to Decode a JWT

Method 1: Use RiseTop's JWT Decoder (Recommended)

1. Go to RiseTop JWT Decoder.
2. Paste your JWT token into the input field.
3. Instantly see the decoded header, payload, and signature information.
4. Check if the token is expired based on the exp claim.

All decoding happens in your browser — no data is sent to any server.

Method 2: Browser DevTools

Open your browser's Developer Tools (F12), go to the Console, and run:

function decodeJWT(token) {
  const parts = token.split('.');
  return {
    header: JSON.parse(atob(parts[0].replace(/-/g,'+').replace(/_/g,'/'))),
    payload: JSON.parse(atob(parts[1].replace(/-/g,'+').replace(/_/g,'/')))
  };
}
decodeJWT('your.jwt.token');

Method 3: Command Line

# Using cut and base64
echo "YOUR_JWT" | cut -d'.' -f1 | base64 -d 2>/dev/null
echo "YOUR_JWT" | cut -d'.' -f2 | base64 -d 2>/dev/null

# Using jq (if installed)
echo "YOUR_JWT" | cut -d'.' -f2 | base64 -d 2>/dev/null | jq .

Reading Common JWT Claims

When you decode a JWT payload, here are the key fields to look for:

• sub (Subject) — Who the token represents (usually a user ID).
• iss (Issuer) — Which service created the token.
• aud (Audience) — Which service is intended to receive the token.
• exp (Expiration) — When the token expires (Unix timestamp).
• iat (Issued At) — When the token was created.
• nbf (Not Before) — The token is not valid before this time.

Custom claims like role, permissions, email, or name are application-specific and depend on what the issuing server includes.

JWT Security Best Practices

While JWTs are powerful, they come with security considerations:

• Never store sensitive data in the payload — The payload is just Base64-encoded, not encrypted. Anyone can decode it. Never put passwords, API keys, or personal data in a JWT.
• Use short expiration times — Access tokens should expire quickly (15-30 minutes). Use refresh tokens for longer sessions.
• Always use HTTPS — JWTs sent over HTTP can be intercepted.
• Validate all claims — Don't just verify the signature; check iss, aud, and exp on every request.
• Choose the right algorithm — Use asymmetric algorithms (RS256, ES256) for distributed systems where multiple services need to verify tokens.
• Store tokens securely — Use httpOnly cookies instead of localStorage to prevent XSS attacks from stealing tokens.

JWT vs. Session Cookies: When to Use Which

Both approaches have trade-offs:

• JWT — Stateless, great for microservices and APIs, works across domains. Harder to revoke and can grow large.
• Session Cookies — Server-side state, easy to revoke, smaller payload. Requires session storage and doesn't scale as easily across services.

Many modern applications use both: short-lived JWTs for API authentication and refresh tokens stored as httpOnly cookies.

Frequently Asked Questions

What is a JWT token?

A JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information between parties. It consists of three parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature (verification). JWTs are commonly used for authentication and authorization in web applications.

Can anyone read the data inside a JWT?

Yes — the header and payload of a JWT are Base64 encoded, not encrypted. Anyone can decode them and read the contents. The signature ensures the token hasn't been tampered with, but it doesn't hide the data. Never put sensitive information like passwords or social security numbers in a JWT payload.

How do I decode a JWT token?

You can decode a JWT by splitting it on the dots (.) and Base64-decoding each part. Or use RiseTop's free JWT decoder tool — just paste the token and it instantly shows the decoded header, payload, and signature status.

What is the difference between JWT and session cookies?

Session cookies store a reference ID on the client while the server holds the actual session data. JWTs are self-contained — all the data is in the token itself, so the server doesn't need to store session state. JWTs are better for distributed systems and APIs, while session cookies offer easier revocation.

Are JWT tokens secure?

JWTs are secure when used correctly. The signature prevents tampering, and short expiration times limit the window of abuse. However, since the payload is readable by anyone, you must not store sensitive data in it. Always use HTTPS, set reasonable expiration times, and consider using refresh tokens for long-lived sessions.