JWT Decoder

Header

Enter a JWT token to decode the header

Payload

Enter a JWT token to decode the payload

Signature

Enter a JWT token to view the signature

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, URL-safe format for transmitting claims between parties. Unlike traditional session-based authentication, JWTs are stateless and self-contained, making them ideal for distributed systems, microservices, and API authentication.

A JWT consists of three Base64URL-encoded parts separated by dots: Header.Payload.Signature

  • Header: Specifies the token type (JWT) and cryptographic algorithm (alg) used for signing. Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA-SHA256), and none (unsigned, insecure).
  • Payload: Contains claims—statements about an entity (user, application) and metadata. Claims are categorized as registered (standardized by RFC 7519), public (defined in IANA registry), or private (custom application-specific claims).
  • Signature: Cryptographic signature created by combining the encoded header, encoded payload, and a secret (HMAC) or private key (RSA/ECDSA). Verifies token authenticity and integrity, preventing tampering.

JWTs are commonly used in OAuth 2.0, OpenID Connect, and REST API authentication. They eliminate the need for server-side session storage, enabling horizontal scaling and cross-domain authentication.

How JWT Decoding and Verification Works

JWTs use Base64URL encoding (RFC 4648 Section 5), which replaces + with -, / with _, and omits padding = characters. This makes tokens URL-safe and suitable for HTTP headers, query parameters, and cookies.

Our decoder performs the following steps:

  1. Token Parsing: Splits the token into three parts using the dot (.) separator. Validates that exactly three parts exist.
  2. Base64URL Decoding: Converts each part from Base64URL to UTF-8. Handles padding restoration and character encoding conversion.
  3. JSON Parsing: Parses the decoded header and payload as JSON objects. Validates JSON syntax and structure.
  4. Claim Extraction: Identifies standard claims (iss, sub, aud, exp, iat, nbf, jti) and calculates human-readable timestamps from Unix epoch values.
  5. Signature Verification: Uses the Web Crypto API to verify signatures. For HMAC algorithms, recreates the signature using the provided secret. For RSA/ECDSA algorithms, verifies using the public key. Compares the computed signature with the token's signature using constant-time comparison to prevent timing attacks.

Technical Details: Signature verification uses the browser's native Web Crypto API (SubtleCrypto), ensuring cryptographic operations match industry standards. Supported algorithms include HMAC (HS256, HS384, HS512) and RSA (RS256, RS384, RS512). RSA keys must be in PEM format with proper headers (-----BEGIN PUBLIC KEY-----). All processing occurs client-side—no data leaves your browser.

Standard JWT Claims (RFC 7519)

The JWT specification defines seven registered claims. These are optional but recommended for interoperability and security.

iss (Issuer): String or URI identifying the entity that issued the token. Used to prevent token reuse across different systems. Example: "iss": "https://auth.example.com"
sub (Subject): String identifying the principal (user, application, or device) the token represents. Typically a user ID or email. Must be unique within the issuer's context.
aud (Audience): String or array of strings identifying intended recipients. Recipients must verify their identifier is present, otherwise reject the token. Prevents token misuse across services.
exp (Expiration Time): NumericDate (Unix timestamp) after which the token is invalid. Servers must reject expired tokens even if the signature is valid. Critical for security—always set expiration times.
iat (Issued At): NumericDate indicating when the token was issued. Used to calculate token age and implement token rotation policies. Helps detect clock skew issues.
nbf (Not Before): NumericDate before which the token is invalid. Useful for implementing token activation delays or time-based access control. Less commonly used than exp.
jti (JWT ID): Unique identifier for the token. Used with token revocation lists or to prevent replay attacks. Should be unique per token instance, not just per user.

Best Practice: Always include exp and iat claims. Use iss and aud in multi-tenant or microservices architectures. Implement jti if you need token revocation capabilities.

When to Use a JWT Decoder

  • Authentication Debugging: Verify that tokens contain expected claims (user ID, roles, permissions) before implementing authorization logic. Check for missing or incorrect aud claims causing 401 errors.
  • Expiration Troubleshooting: Diagnose "token expired" errors by comparing exp timestamps with server time. Identify clock skew issues or incorrect token lifetime configurations.
  • API Integration: Inspect tokens from third-party OAuth providers (Google, Auth0, Okta) to understand claim structure and verify custom claims before implementing user mapping logic.
  • Security Audits: Review token structure for vulnerabilities: unsigned tokens (alg: "none"), weak algorithms (HS256 with short secrets), missing expiration claims, or exposed sensitive data in payloads.
  • Microservices Debugging: Trace authentication flow across services by verifying iss and aud claims. Ensure tokens are properly validated at each service boundary.
  • Signature Verification Testing: Test signature validation logic by verifying tokens with known secrets/keys before deploying authentication code to production.

For comprehensive JWT security practices and OAuth 2.0 implementation guidance, read our detailed guide: Understanding JWT Tokens and OAuth2 — Secure Your Applications with Proven Techniques

Frequently Asked Questions

Find answers to common questions

Yes. JWTs use Base64URL encoding, not encryption, so anyone with the token can decode it. Decoding reveals the header and payload but doesn't compromise security—the signature prevents tampering. This tool processes tokens entirely in your browser using JavaScript and the Web Crypto API. No data is transmitted to servers. However, never paste production tokens containing sensitive claims into untrusted tools or public forums.
Signature verification uses cryptographic hashing. For HMAC algorithms (HS256/384/512), the verifier recreates the signature by hashing the header.payload with the secret key, then compares it to the token's signature. For RSA algorithms (RS256/384/512), the verifier uses the public key to verify the signature created with the private key. This tool uses the browser's Web Crypto API (SubtleCrypto) for verification, matching production server implementations. Verification happens client-side—your secret or public key never leaves your browser.
The exp claim contains a Unix timestamp (seconds since epoch). If the current time exceeds this value, the token is expired and must be rejected, even with a valid signature. To fix: request a new token from your authentication server, check server clock synchronization (expired tokens may be valid if clocks are skewed), or verify the token lifetime configuration matches your application's needs. This tool displays expiration time in human-readable format and shows remaining validity period.
Valid JWTs must have exactly three Base64URL-encoded parts separated by dots. Common issues: missing parts (only 1-2 segments), invalid Base64URL characters (contains +, /, or padding =), malformed JSON in header/payload, or the string isn't a JWT (might be an opaque token or different format). Check that your token starts with eyJ (Base64 for {") and contains exactly two dots. This tool provides specific error messages to help identify the issue.
Encoding (Base64URL) is a reversible transformation for data representation—anyone can decode it. Encryption uses cryptographic keys to scramble data, making it unreadable without the decryption key. JWTs are encoded, not encrypted, meaning the header and payload are readable by anyone. The signature provides integrity (detects tampering) and authenticity (verifies the issuer), but not confidentiality. If you need to hide payload contents, use JWE (JSON Web Encryption) or encrypt sensitive claims before including them in the token.
This tool supports HMAC algorithms (HS256, HS384, HS512) using secret keys and RSA algorithms (RS256, RS384, RS512) using public keys in PEM format. ECDSA algorithms (ES256, ES384, ES512) may be supported depending on browser Web Crypto API support. Tokens with alg: "none" (unsigned) are a security vulnerability and should be rejected. Always verify the algorithm matches your server configuration and use strong keys (256+ bits for HMAC, 2048+ bits for RSA).
Yes. OAuth 2.0 access tokens and OpenID Connect ID tokens are JWTs. This tool can decode and verify both. ID tokens typically include standard claims like sub, iss, aud, exp, and iat, plus OpenID-specific claims (email, email_verified, name). Access tokens may contain custom scopes or permissions. Use signature verification to ensure tokens are valid before trusting their claims in your application.

Security & Privacy Guarantees

This tool is designed with security-first principles. All cryptographic operations use the browser's native Web Crypto API, ensuring industry-standard security without external dependencies.

  • Zero Data Transmission: All processing occurs client-side using JavaScript. No network requests are made—tokens, secrets, and keys never leave your browser.
  • No Persistence: Tokens are not stored in localStorage, sessionStorage, cookies, or server logs. Refreshing the page clears all data.
  • Cryptographic Verification: Signature verification uses constant-time comparison algorithms to prevent timing attacks. Supports industry-standard algorithms (HMAC-SHA256/384/512, RSA-SHA256/384/512).
  • Transparent Implementation: Source code is available for security review. Uses standard Web APIs (SubtleCrypto) with no proprietary cryptographic libraries.

Security Warning: JWTs contain sensitive authentication credentials. If intercepted, tokens can be used to impersonate users until expiration. Never paste production tokens into public forums, screenshots, or untrusted tools. Always verify the tool's privacy policy before use. This tool processes data entirely in your browser—verify by checking network requests in browser DevTools.

JWT Decoding Best Practices

  • Verify Algorithm First: Check the alg claim matches your server's expected algorithm. Reject tokens with alg: "none" (unsigned tokens are a security risk). Ensure your server whitelists allowed algorithms.
  • Validate Expiration: Always check exp before processing tokens. Account for clock skew (typically 5-10 minutes tolerance). Use nbf if implementing token activation delays.
  • Inspect Custom Claims: Review application-specific claims (roles, permissions, tenant IDs) to ensure they match expected values. Use the Claims Table view for easier reading.
  • Cross-Reference Server Logs: Compare iat timestamps with server-side token generation logs to identify timing discrepancies or token reuse issues.
  • Test Signature Verification: Use the verification feature to test your secret/key before implementing validation in code. Verify both valid and invalid signatures to test error handling.
  • Audit Token Structure: Ensure tokens don't contain sensitive data (passwords, credit cards) in the payload. Remember: JWT payloads are Base64-encoded, not encrypted—anyone can decode them.

Decode and inspect JSON Web Tokens (JWT) instantly. View header, payload, and signature sections with proper formatting.

SecurityAuthenticationDebugging

Related Tools

Explore more developer tools

Secure Password Generator

Generate strong, random passwords with customizable options

UUID Generator

Generate RFC4122 compliant unique identifiers

Base64 Encoder/Decoder

Encode text to Base64 or decode Base64 strings

URL Encoder/Decoder

Encode URLs and query parameters safely

Related Articles

Top 25 JavaScript Developer Interview Questions and Answers (2026)
5 min read

Top 25 JavaScript Developer Interview Questions and Answers (2026)

Read article
Top 30 Python Developer Interview Questions and Answers (2026)
5 min read

Top 30 Python Developer Interview Questions and Answers (2026)

Read article
Top 50 PHP Developer Interview Questions and Answers (2026)
5 min read

Top 50 PHP Developer Interview Questions and Answers (2026)

Read article
Browse all articles