JWT Decoder — Developer Code Samples

JWT (JSON Web Tokens) consist of three Base64url-encoded parts: header, payload, and signature. Decoding the header and payload requires no secret key. Verifying the signature requires the secret or public key. Use PyJWT in Python or the jsonwebtoken package in Node.js.

Try the interactive version online: Open JWT Decoder Tool →

Parameters

Parameter	Type	Required	Description
token	str	Yes	JWT token string (three Base64url parts separated by dots)
verify	bool	No	Verify signature (requires secret/public key, default: False)
secret	str	No	Secret key or public key for signature verification

Returns: Dict with header (algorithm/type), payload (claims including sub, iat, exp), and signature fields

Code Examples

import base64
import json
import hmac
import hashlib

def decode_jwt(token, verify=False, secret=None):
    """
    Decode a JWT token without verification (inspect only).
    For production: use PyJWT with signature verification.
    """
    parts = token.split('.')
    if len(parts) != 3:
        raise ValueError("Invalid JWT: must have 3 parts separated by dots")

    def decode_part(part):
        # Add padding if needed
        padding = 4 - len(part) % 4
        if padding != 4:
            part += '=' * padding
        decoded = base64.urlsafe_b64decode(part)
        return json.loads(decoded)

    header = decode_part(parts[0])
    payload = decode_part(parts[1])
    signature = parts[2]

    return {
        "header": header,
        "payload": payload,
        "signature": signature,
        "is_expired": False,  # Check payload['exp'] vs time.time()
    }

# Example JWT (never use in production without verification!)
sample_jwt = (
    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
    ".eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ"
    ".SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
)

result = decode_jwt(sample_jwt)
print("Header:", json.dumps(result["header"], indent=2))
print("Payload:", json.dumps(result["payload"], indent=2))

# With PyJWT (pip install PyJWT) - includes verification
# import jwt
# decoded = jwt.decode(token, "your-secret", algorithms=["HS256"])
# print(decoded)

# Check expiration
import time
payload = result["payload"]
if "exp" in payload:
    is_expired = payload["exp"] < time.time()
    print(f"Token expired: {is_expired}")

// Decode JWT without verification (inspect only)
function decodeJWT(token) {
  const parts = token.split('.');
  if (parts.length !== 3) throw new Error('Invalid JWT: must have 3 parts');

  function decodeBase64url(str) {
    // Add padding
    str = str.replace(/-/g, '+').replace(/_/g, '/');
    while (str.length % 4) str += '=';
    return JSON.parse(atob(str));
  }

  const header = decodeBase64url(parts[0]);
  const payload = decodeBase64url(parts[1]);
  const signature = parts[2];

  return { header, payload, signature };
}

// Example JWT
const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' +
  '.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ' +
  '.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';

const decoded = decodeJWT(token);
console.log('Header:', decoded.header);
console.log('Payload:', decoded.payload);

// Check expiration
if (decoded.payload.exp) {
  const isExpired = decoded.payload.exp < Math.floor(Date.now() / 1000);
  console.log('Expired:', isExpired);
}

// With jsonwebtoken (npm install jsonwebtoken) — includes verification
// const jwt = require('jsonwebtoken');
// const verified = jwt.verify(token, 'your-secret');
// console.log(verified);

# Decode JWT header and payload (no verification)
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIn0.xyz"

# Decode header (part 1)
echo $TOKEN | cut -d. -f1 | base64 -d 2>/dev/null | python3 -m json.tool

# Decode payload (part 2)
echo $TOKEN | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool

# Add padding and decode with Python
python3 -c "
import base64, json, sys
part = sys.argv[1]
part += '=' * (4 - len(part) % 4)
print(json.dumps(json.loads(base64.urlsafe_b64decode(part)), indent=2))
" \$(echo $TOKEN | cut -d. -f2)

# Check expiration time
python3 -c "
import base64, json, time, sys
payload_b64 = sys.argv[1].split('.')[1]
payload_b64 += '=' * (4 - len(payload_b64) % 4)
payload = json.loads(base64.urlsafe_b64decode(payload_b64))
if 'exp' in payload:
    exp = payload['exp']
    print('Expires:', time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(exp)))
    print('Expired:', exp < time.time())
" "$TOKEN"

Other Tool APIs

JSON Formatter Base64 Encode/Decode URL Encode/Decode Lorem Ipsum Generator Word & Character Counter MD5 & SHA Hash Generator

View all API docs →