JWT Decoder

Decode and inspect JSON Web Tokens (JWT). Paste a JWT to view its header, payload claims, and signature. This tool does not verify the signature — never trust a token based on this output alone.

JWT Token

FAQ

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token that encodes a JSON object. It consists of three Base64url-encoded parts: header, payload, and signature, separated by dots.

Does this tool verify the JWT signature?

No. Signature verification requires the secret key or public key used to sign the token. This tool only decodes and displays the contents — never trust payload data without server-side verification.

Is it safe to paste my JWT here?

All decoding is done entirely in your browser. Your token is never sent to any server. However, as a best practice, avoid pasting real production tokens into any public online tool.

What algorithms does JWT support?

Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA). The algorithm is specified in the 'alg' field of the header.

Frequently Asked Questions

Does this tool verify the JWT signature?

No. This tool only decodes the Base64-encoded header and payload. Signature verification requires the secret key and should be done server-side.

What is a JWT token?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It consists of three Base64url-encoded parts: header (algorithm), payload (claims), and signature.

Is my JWT token sent to a server?

No. All decoding happens in your browser using JavaScript. Your token never leaves your device. Never share JWTs containing sensitive data.

JWT Structure: Three Parts

A JSON Web Token (JWT) is composed of three Base64URL-encoded sections separated by dots (.):

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTc0MTgyNDAwMH0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
  • Header — algorithm (alg) and token type (typ).
  • Payload — claims: statements about the user and any extra data.
  • Signature — HMAC or RSA signature over header + payload. Verifies integrity.

Standard (Registered) Claims

ClaimFull nameMeaning
issIssuerWho issued this token
subSubjectWho this token represents (user ID)
audAudienceWho should accept this token
expExpiration timeUnix timestamp after which the token is invalid
nbfNot beforeToken not valid before this Unix timestamp
iatIssued atUnix timestamp when the token was created
jtiJWT IDUnique identifier for this token (prevents replay)

JWT Security Best Practices

  • Always verify the signature server-side before trusting any claim. Decoding without verification is safe only for inspection.
  • Reject alg: none — some older libraries accept unsigned tokens if the algorithm is set to none.
  • Keep JWTs short-lived — set exp to 15–60 minutes for access tokens. Use refresh tokens for longer sessions.
  • Do not store sensitive data in the payload — the payload is only Base64-encoded, not encrypted. Anyone who has the token can read it.
  • Use HTTPS only — transmit JWTs exclusively over TLS to prevent interception.