JWT Decoder
Paste a JWT token above to decode it
Security Note: This tool decodes JWTs but does NOT verify signatures. Never use this for validating tokens in production. JWT signature verification requires the secret key and should be done server-side. This tool is for debugging and inspection only.
About JWT Decoder
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. A JWT consists of three parts: Header (algorithm and token type), Payload (claims and data), and Signature (verification data). This decoder tool allows you to inspect and debug JWTs by decoding the base64url-encoded header and payload sections. It displays the token structure, standard claims, and expiration information. All decoding happens in your browser for complete privacy.
How to Use
- Paste your JWT token into the input field.
- The tool will automatically decode the token as you type.
- View the decoded Header section showing the algorithm and token type.
- View the decoded Payload section with all claims and data.
- Check standard claims like expiration (exp), issued at (iat), subject (sub), etc.
- The signature part is shown but NOT verified (requires secret key).
Frequently Asked Questions
What is a JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications and APIs. They consist of three parts: Header, Payload, and Signature, separated by dots.
What are the three parts of a JWT?
1) Header: Contains the algorithm (e.g., HS256, RS256) and token type (JWT). 2) Payload: Contains claims (statements about an entity and additional data). 3) Signature: Used to verify the token hasn't been tampered with, created by encoding the header and payload with a secret key.
What are JWT claims?
Claims are statements about an entity (typically the user) and additional metadata. Standard claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID). You can also add custom claims for your application.
Does this tool verify JWT signatures?
No. This tool only decodes and displays the JWT structure. Signature verification requires the secret key or public key (for asymmetric algorithms) and should only be done server-side. This tool is for debugging and inspecting tokens, not for validating their authenticity.
How do I know if my JWT is expired?
The tool checks the "exp" (expiration) claim in the payload and compares it to the current time. If the token is expired, you'll see a red "EXPIRED" warning. The expiration time is shown in both human-readable format and Unix timestamp.
Are JWTs encrypted?
Standard JWTs (JWS) are signed but NOT encrypted—anyone can decode and read the contents. Never put sensitive information like passwords in a JWT payload. If you need encryption, use JWE (JSON Web Encryption) tokens instead, which encrypt the payload.
What algorithms are commonly used for JWTs?
Common algorithms include: HS256 (HMAC with SHA-256, symmetric), HS384, HS512, RS256 (RSA with SHA-256, asymmetric), RS384, RS512, ES256 (ECDSA with SHA-256), ES384, and ES512. The algorithm is specified in the token header.
Is it safe to decode JWTs in my browser?
Yes, for inspection purposes. All decoding happens entirely in your browser—no data is sent to any server. However, remember that JWTs are not encrypted, so anyone with the token can decode it. Never share JWTs publicly or include them in client-side code.