JWT Decoder Explained: Header, Payload and Signature

Understand how JWTs are structured and how developers safely decode token headers and payloads.

Editorial note

This guide was written for developers who need practical explanations and quick browser-based utilities. It focuses on common debugging, API and data-conversion workflows.

What a JWT is

A JSON Web Token, usually called a JWT, is a compact token format commonly used for authentication and authorisation. It is made of three Base64URL-encoded parts separated by dots: the header, the payload and the signature.

The header usually describes the token type and signing algorithm. For example, it may say that the token is a JWT and that it was signed using HS256 or RS256. This information helps the receiving service understand how the token should be verified.

Payload

The payload contains claims. Claims are pieces of information such as a user identifier, expiry time, issuer, audience, roles or permissions. Developers often decode the payload to check whether a token contains the expected values.

Signature

The signature is used to verify that the token has not been changed and that it was created by a trusted issuer. Decoding a JWT is not the same as verifying it. A browser decoder can show the header and payload, but your application still needs proper signature validation.

Safe usage

Never treat a decoded JWT as trusted just because it can be read. Always verify the signature, issuer, audience, expiry and other security-sensitive claims on the server side.

Try the related tool

Use the JWT Parser to test the concept directly in your browser.

Key takeaway

The best developer utilities are simple, focused and easy to verify. Use tools like these to speed up debugging and preparation work, but always review generated output before using it in production systems.