Security📅 July 12, 20265 min read

Demystifying JSON Web Tokens: How to Inspect and Decode JWTs Safely

A deep dive into the anatomy of a JWT (Header, Payload, Signature) and why you should never put sensitive data inside the payload.

By Free Web Tools Security

JSON Web Tokens (JWTs) have become the de-facto standard for stateless authentication in modern web applications and APIs. They allow servers to verify a user's identity without querying a database on every request. However, a common misunderstanding about how JWTs work often leads to critical security vulnerabilities.

The Anatomy of a JWT

A standard JWT consists of three parts separated by dots (.):

  • Header: Contains metadata about the token, such as the signing algorithm (e.g., HMAC SHA256 or RSA).
  • Payload: Contains the claims or statements about the user (e.g., user ID, roles, expiration time).
  • Signature: A cryptographic hash of the Header and Payload, signed with a secret key known only to the server.

The Golden Rule: Encoding is Not Encryption

The most common mistake developers make is assuming that a JWT is encrypted. It is not. The Header and Payload are simply Base64Url encoded. Anyone who intercepts the token can easily decode it and read the contents.

Therefore, you must never put sensitive information—like passwords, social security numbers, or internal API secrets—inside a JWT payload. The token's security relies on the Signature, which prevents tampering, not on secrecy.

How to Inspect a JWT

During development and debugging, you often need to inspect the contents of a token to verify the expiration time (exp claim) or check the assigned user roles. You can paste your token into our JWT Decoder Tool to instantly parse the Header and Payload into readable JSON format.

Because our decoder runs 100% on the client-side, your authentication tokens are never transmitted to a third-party server, keeping your development environment secure.

Try Free Web Tools — Free Image Tools in Your Browser

Resize, compress, and convert images 100% locally — no uploads, no account required.

Open Free Image Tools →
← All Articles