What Is a JWT, and How Do You Decode One Safely?
A practical guide to JWT structure and why pasting a production token into a random online decoder is riskier than it looks.
What a JWT actually contains
A JSON Web Token (JWT) is a compact, URL-safe string split into three parts separated by dots: header.payload.signature. It's the backbone of modern authentication β used for session tokens, API access, and single sign-on across nearly every web framework.
Each part is base64url-encoded JSON:
- Header β declares the signing algorithm (e.g.
HS256,RS256) and token type. - Payload β the actual claims:
sub(subject),exp(expiration),iat(issued at), and any custom data the issuer added. - Signature β proves the token hasn't been tampered with, generated using a secret or private key.
The problem with most online JWT decoders
Pasting a token into a random "JWT decoder" site sends that string to their server for processing. If the token is from a production system β your own session, an internal API token β you've just handed a live credential to a third party. Most JWTs aren't encrypted, only signed, which means anyone who reads the payload can see every claim inside.
Decoding safely
Askerium's JWT Decoder parses the token entirely in your browser using standard base64url decoding β nothing is transmitted anywhere. You can safely inspect:
- The signing algorithm and token type
- All payload claims, including expiration converted to a readable date
- Whether the token's structure is valid (three properly encoded segments)
Note that decoding only reveals the contents β it doesn't verify the signature without the secret key, so a decoded token isn't proof the issuer actually signed it.
When you'd use this
Debugging an auth flow, checking why a session expired, or inspecting what claims an API actually returns β all common developer tasks where decoding a JWT instantly and safely saves you from writing a one-off script.