Python JWT Decoder & Verifier
Decode and inspect JSON Web Tokens for your Python applications. Paste a JWT to see its header, payload, and claims, then use the code examples for PyJWT, Flask-JWT-Extended, or Django REST Framework. All decoding is client-side.
JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and expiration status.
How to decode JWTs in Python
Install PyJWT: pip install PyJWT. To decode and verify: import jwt; payload = jwt.decode(token, secret, algorithms=['HS256']). To decode without verification (inspection only): payload = jwt.decode(token, options={'verify_signature': False}). For RS256 tokens: payload = jwt.decode(token, public_key, algorithms=['RS256']). Always specify the algorithms parameter explicitly to prevent algorithm confusion attacks. Note: the package is 'PyJWT' on pip but imported as 'jwt' — don't confuse with the deprecated 'jwt' package.
Python JWT in Flask and Django
Flask-JWT-Extended simplifies JWT auth: from flask_jwt_extended import jwt_required, get_jwt_identity; @app.route('/protected'); @jwt_required(); def protected(): user = get_jwt_identity(). For Django REST Framework: pip install djangorestframework-simplejwt, then add 'rest_framework_simplejwt.authentication.JWTAuthentication' to DEFAULT_AUTHENTICATION_CLASSES. Both libraries handle token creation, refresh, blacklisting, and claim validation automatically. For FastAPI: pip install python-jose; use OAuth2PasswordBearer + jwt.decode() in a Depends() dependency.
Common Python JWT pitfalls
Pitfall 1: importing 'jwt' when you have both PyJWT and python-jose installed — they conflict. Pitfall 2: not specifying algorithms= allows algorithm switching attacks. Pitfall 3: jwt.decode() in PyJWT 2.x requires algorithms parameter (breaking change from 1.x). Pitfall 4: DecodeError vs ExpiredSignatureError vs InvalidSignatureError — handle each differently. Use this tool to inspect your token's algorithm (alg header) and expiration (exp claim) before writing Python decode logic.
Frequently Asked Questions
How do I decode a JWT without verification in Python?
Use jwt.decode(token, options={'verify_signature': False}) with PyJWT 2.x. In PyJWT 1.x, use jwt.decode(token, verify=False). This is safe for inspecting claims but never use unverified tokens for authorization decisions.
What is the difference between PyJWT and python-jose?
PyJWT (import jwt) is the most popular Python JWT library with 100M+ downloads. python-jose (import jose) supports JWE (encrypted tokens) and JWK (JSON Web Keys) in addition to JWS. Use PyJWT for standard JWT needs; use python-jose if you need JWE encryption or JWK key management.
How do I handle expired JWTs in Python?
Catch jwt.ExpiredSignatureError: try: payload = jwt.decode(token, secret, algorithms=['HS256']); except jwt.ExpiredSignatureError: # Token has expired — refresh or re-authenticate. Set expiration when creating: jwt.encode({'exp': datetime.utcnow() + timedelta(hours=1), ...}, secret).
Related Inspect Tools
Diff Checker
Compare two texts and see differences highlighted
Cron Expression Parser
Parse cron schedules into plain English with next run times
Word & Character Counter
Count words, characters, sentences, and estimate reading time
Chmod Calculator
Calculate Unix file permissions with an interactive permission matrix