Python JWT Decoder & Verifier
Decode and inspect JSON Web Tokens for your Python applications. Paste a JWT to see its header, payload, and claims, then use the code examples for PyJWT, Flask-JWT-Extended, or Django REST Framework. All decoding is client-side.
JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and expiration status.
How to decode JWTs in Python
Install PyJWT: pip install PyJWT. To decode and verify: import jwt; payload = jwt.decode(token, secret, algorithms=['HS256']). To decode without verification (inspection only): payload = jwt.decode(token, options={'verify_signature': False}). For RS256 tokens: payload = jwt.decode(token, public_key, algorithms=['RS256']). Always specify the algorithms parameter explicitly to prevent algorithm confusion attacks. Note: the package is 'PyJWT' on pip but imported as 'jwt' — don't confuse with the deprecated 'jwt' package.
# Python — decode and verify JWT tokens
import jwt # pip install PyJWT
# Decode WITHOUT verification (inspect only)
payload = jwt.decode(token, options={"verify_signature": False})
print(payload) # {"sub": "user-1", "exp": 1711234567}
# Verify with secret (recommended)
try:
payload = jwt.decode(token, "your-secret-key", algorithms=["HS256"])
print("Valid:", payload["sub"])
except jwt.ExpiredSignatureError:
print("Token expired")
except jwt.InvalidTokenError as e:
print(f"Invalid token: {e}")Python JWT in Flask and Django
Flask-JWT-Extended simplifies JWT auth: from flask_jwt_extended import jwt_required, get_jwt_identity; @app.route('/protected'); @jwt_required(); def protected(): user = get_jwt_identity(). For Django REST Framework: pip install djangorestframework-simplejwt, then add 'rest_framework_simplejwt.authentication.JWTAuthentication' to DEFAULT_AUTHENTICATION_CLASSES. Both libraries handle token creation, refresh, blacklisting, and claim validation automatically. For FastAPI: pip install python-jose; use OAuth2PasswordBearer + jwt.decode() in a Depends() dependency.
Common Python JWT pitfalls
Pitfall 1: importing 'jwt' when you have both PyJWT and python-jose installed — they conflict. Pitfall 2: not specifying algorithms= allows algorithm switching attacks. Pitfall 3: jwt.decode() in PyJWT 2.x requires algorithms parameter (breaking change from 1.x). Pitfall 4: DecodeError vs ExpiredSignatureError vs InvalidSignatureError — handle each differently. Use this tool to inspect your token's algorithm (alg header) and expiration (exp claim) before writing Python decode logic.
Frequently Asked Questions
How do I decode a JWT without verification in Python?
Use jwt.decode(token, options={'verify_signature': False}) with PyJWT 2.x. In PyJWT 1.x, use jwt.decode(token, verify=False). This is safe for inspecting claims but never use unverified tokens for authorization decisions.
What is the difference between PyJWT and python-jose?
PyJWT (import jwt) is the most popular Python JWT library with 100M+ downloads. python-jose (import jose) supports JWE (encrypted tokens) and JWK (JSON Web Keys) in addition to JWS. Use PyJWT for standard JWT needs; use python-jose if you need JWE encryption or JWK key management.
How do I handle expired JWTs in Python?
Catch jwt.ExpiredSignatureError: try: payload = jwt.decode(token, secret, algorithms=['HS256']); except jwt.ExpiredSignatureError: # Token has expired — refresh or re-authenticate. Set expiration when creating: jwt.encode({'exp': datetime.utcnow() + timedelta(hours=1), ...}, secret).
Related Inspect Tools
JSON Visualizer
Visualize JSON as an interactive tree — collapsible nodes, search, path copy, depth controls, and data statistics
Git Diff Viewer
Paste unified diff output from git diff and view it with syntax highlighting, line numbers, and side-by-side or inline display
Compression Tester
Test and compare Brotli, Gzip, and Deflate compression ratios for text content — sizes, savings, and speed
TypeScript 6.0 Migration Checker
Analyze your tsconfig.json for TS 6.0 breaking changes, deprecated options, new defaults, and get a readiness grade with fixes