How to Decode a JWT Token (And What's Inside)

JSON Web Tokens are the heartbeat of modern authentication. Every API call you make after login likely carries a JWT. When something breaks — wrong claims, expired tokens, unexpected permissions — you need to inspect the token fast. The Quill Tools JWT Decoder lets you do it in seconds, entirely client-side.

What Is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, self-contained token that carries information between parties as a JSON object. JWTs are digitally signed (using HMAC or RSA/ECDSA), so recipients can verify authenticity. They are defined in RFC 7519.

The Three Parts of a JWT

A JWT looks like: xxxxx.yyyyy.zzzzz

1. Header

Base64URL-encoded JSON describing the token type and signing algorithm:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload (Claims)

Base64URL-encoded JSON containing the claims — statements about the user and additional data:

• sub — Subject (usually user ID)
• iss — Issuer (who created the token)
• aud — Audience (intended recipient)
• exp — Expiration time (Unix timestamp)
• iat — Issued at (Unix timestamp)
• nbf — Not before (token invalid before this time)

3. Signature

Computed from the encoded header and payload using the secret key. This prevents tampering — if anyone modifies the payload, the signature will no longer match.

How to Decode a JWT

1. Copy your JWT from your application, browser DevTools, or API response.
2. Open the Quill Tools JWT Decoder.
3. Paste the token into the input field.
4. The decoder splits the token and displays all three parts in a readable format.
5. Expiration timestamps are shown in both Unix time and human-readable format.

Common JWT Debugging Scenarios

• 401 Unauthorized — Check the exp claim. Has the token expired?
• 403 Forbidden — Check the role/scope claims. Does the user have the required permission?
• Wrong user data — Check the sub and other identity claims.
• Audience mismatch — Verify the aud claim matches your API's expected audience.

Security Notes

The Quill Tools JWT decoder runs entirely in your browser — your token is never transmitted to any server. However, as a best practice, avoid pasting production JWTs containing real user data into any online service. For debugging in production, use your application's logging infrastructure or decode locally.

Frequently Asked Questions

Is it safe to decode JWT tokens online?

Yes, when using Quill Tools. The JWT decoder runs entirely client-side — your token never leaves your browser.

What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts: Header (algorithm), Payload (claims), and Signature (verification), separated by dots.

Decode your JWT now at Quill Tools JWT Decoder.