jwtauthenticationsecurityweb development

How to Read a JWT Token (Header, Payload, Signature Explained)

Learn how to decode and inspect a JSON Web Token — what the three parts mean, what claims to look for, and how to verify expiry without a library.

May 21, 20265 min read

The Structure of a JWT

A JSON Web Token looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

It consists of three Base64URL-encoded parts separated by dots:

1. Header — algorithm and token type


2. Payload — claims (data)
3. Signature — verification
Decoding the Header
The first section decodes to:

`json


{
  "alg": "HS256",
  "typ": "JWT"
}

- alg: the signing algorithm — HS256 (HMAC-SHA256), RS256 (RSA), ES256 (ECDSA)

- typ: always "JWT"

Security note: Always validate alg on the server. Never accept "alg": "none".

`Decoding the Payload`

The second section contains the claims:

`json


{
  "sub": "1234567890",
  "name": "Alice",
  "iat": 1516239022,
  "exp": 1516325422
}

Standard claims:

ClaimMeaning


|---|---|

sub

Subject — usually a user ID

iss

Issuer — who created the token

aud

Audience — intended recipient

exp

Expiry — Unix timestamp after which the token is invalid

iat

Issued at — Unix timestamp of creation

nbf

Not before — token is invalid before this time

jti

JWT ID — unique identifier for this token
The Signature

The third part is a cryptographic signature computed over base64url(header) + "." + base64url(payload) using the secret key. You cannot verify this without the secret key, but you can still read the header and payload.

`How to Read a JWT Right Now`

Paste any JWT into our JWT Decoder to instantly see:

- The decoded header and payload as formatted JSON


- The expiry date as a human-readable timestamp
- Whether the token is currently expired
Alternatively, you can manually Base64-decode any section using the Base64 to Text Decoder — just paste the section before or after the dot.
What NOT to Store in a JWT
JWTs are readable by anyone who has the token. Never include:
- Passwords
- Credit card numbers
- Personally identifiable information beyond what's necessary
- Secrets or API keys
Checking Expiry Without a Library

The exp claim is seconds since Unix epoch (1970-01-01 00:00:00 UTC). In JavaScript:

`js


const payload = JSON.parse(atob(token.split('.')[1]))
const isExpired = payload.exp < Date.now() / 1000

Free Tools Mentioned in This Article

Frequently Asked Questions

Can anyone decode a JWT?

Yes — the header and payload are Base64URL-encoded, not encrypted. Anyone can read them. Never put sensitive data (passwords, card numbers) in a JWT payload.

How do I check if a JWT is expired?

Find the "exp" claim in the payload. It is a Unix timestamp (seconds since 1970-01-01). Compare it to the current time. Our JWT Decoder shows the expiry as a human-readable date automatically.

What is the difference between JWT and session cookies?

Session cookies store a session ID server-side; the server looks it up per request. JWTs are self-contained — the server validates the signature without a database lookup, making JWTs stateless and horizontally scalable.

Is a JWT signature enough for security?

Only if the secret key is kept private and the "alg" field is validated server-side. The "alg: none" attack is a known vulnerability where an attacker sets the algorithm to none to bypass signature verification.

← Back to Blog