What Is a JWT? How to Decode and Read a JSON Web Token

JWTs are everywhere in modern authentication, but the format looks like gibberish — three chunks of random characters separated by dots. Once you know the structure, a JWT is completely readable, and decoding one is the fastest way to debug a login problem. Here is what a JSON Web Token is and how to read it.

What Is a JWT?

A JSON Web Token (JWT) is a compact, self-contained way to carry claims — facts about a user or session — between systems. After you log in, a server typically issues a JWT; your browser sends it back on each request to prove who you are. The token holds the data and a signature that proves it has not been tampered with.

The Three Parts of a JWT

• Header — the token type and the signing algorithm (e.g. HS256)
• Payload — the claims: user ID, roles, issued-at and expiry times, and more
• Signature — a hash of the header and payload using a secret, proving authenticity

A JWT Is Signed, Not Encrypted

This surprises many developers: by default the payload of a JWT is not secret. Anyone with the token can decode and read the claims inside it. The signature only guarantees the token has not been altered — it does not hide the contents.

How to Decode a JWT

1. 1Open the WowShortcuts JWT Decoder and paste your token.
2. 2Instantly see the decoded header and payload as readable JSON.
3. 3Check the claims — especially exp (expiry) and iat (issued-at) when debugging "token expired" errors.

Common JWT Claims to Know

• iss — issuer (who created the token)
• sub — subject (usually the user ID)
• exp — expiry time (after this, the token is invalid)
• iat — issued-at time
• aud — audience (who the token is intended for)

Conclusion

A JWT is just three Base64URL-encoded parts: a header, a readable payload of claims, and a signature that proves integrity. It is signed, not encrypted — so never store secrets in it. To inspect any token safely, paste it into the free WowShortcuts JWT Decoder, which runs entirely in your browser.