Blog

codecope

Tools

JWT Decode/Encode

What Is a JWT Encode/Decode Tool?

A JWT Encode/Decode tool lets you convert data into a JSON Web Token (JWT) or extract and inspect an existing JWT. These tools are essential for authentication, authorization, and secure data exchange.

Why Encode and Decode JWTs?

Encoding transforms your data into a secure, compact token that can be transmitted between systems. Decoding allows you to analyze the token’s payload, header, and signature—helpful for debugging, verifying claims, and ensuring integrity.

How JWT Encoding and Decoding Work

Encoding a JWT with code

A JWT consists of three parts:

  1. Header – Defines the token type and signing algorithm.
  2. Payload – Contains user data and claims (e.g., user roles, expiration).
  3. Signature – Ensures token integrity using a secret key.

Example: Encoding a JWT in JavaScript (using Node.js and jsonwebtoken library):

Bash
const jwt = require("jsonwebtoken");

const payload = {
  userId: 123,
  role: "admin",
  exp: Math.floor(Date.now() / 1000) + 60 * 60, // Expires in 1 hour
};

const secretKey = "your-secret-key";
const token = jwt.sign(payload, secretKey, { algorithm: "HS256" });

console.log("Encoded JWT:", token);

Decoding a JWT with code

Decoding extracts the header and payload in a readable format. However, it does not verify the signature.

Example: Decoding a JWT in JavaScript:

Bash
const decoded = jwt.decode(token);
console.log("Decoded JWT:", decoded);

If you need to verify the token’s signature, use jwt.verify():

Bash
try {
  const verified = jwt.verify(token, secretKey);
  console.log("Verified JWT:", verified);
} catch (error) {
  console.log("Invalid token:", error.message);
}

Is the JWT Encode/Decode Tool Secure?

Yes, we only decode tokens and don’t store your input data.

Common Uses

  • Debugging: Identify token structure issues.
  • Claim Verification: Check user roles, expiration, and permissions.
  • API Development: Ensure tokens are processed correctly in authentication flows.

Example 1: Encoding a JWT in our tool

Imagine you need to generate a JWT with user data. Using an online JWT Encode tool, you enter the following payload:

Bash
{
  "userId": 123,
  "role": "admin",
  "exp": 1700000000
}

After clicking “Encode”, the tool produces a JWT similar to this:

Bash
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiZXhwIjoxNzAwMDAwMDAwfQ.S3fQ_dYIgExU8qVODw4l5O9Zf0xF5KlFwSBBbEYoNhE

This token can now be used in authentication headers.

Example 2: Decoding a JWT in our tool

If you receive a JWT and want to inspect its contents, paste the token into a JWT Decode tool and click “Decode”.

Bash
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIiwiZXhwIjoxNzAwMDAwMDAwfQ.S3fQ_dYIgExU8qVODw4l5O9Zf0xF5KlFwSBBbEYoNhE

The tool extracts the human-readable JSON:

Bash
{
  "userId": 123,
  "role": "admin",
  "exp": 1700000000
}

However, this does not verify the signature. If the token is tampered with, it will still decode, but may not be valid.