JWT Decoder

Decode and inspect JSON Web Tokens (JWT) instantly. View header, payload, and signature sections with proper formatting.

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and information exchange in modern web applications.

A JWT consists of three parts separated by dots (.): Header.Payload.Signature

  • Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256)
  • Payload: Contains the claims - statements about an entity (typically the user) and additional data
  • Signature: Used to verify that the sender of the JWT is who it says it is and to ensure the message wasn't changed

How JWT Decoding Works

JWTs use Base64URL encoding, which makes them safe to pass in URLs and HTTP headers. Our decoder:

  • Splits the token into three parts using the dot (.) separator
  • Decodes each part from Base64URL encoding
  • Parses JSON from the decoded header and payload
  • Displays the signature in its encoded form
  • Extracts timing information like issued time (iat), expiration (exp), and not-before (nbf)

Important: This tool only decodes and displays JWT contents. It does not verify the signature or validate the token's authenticity. Signature verification requires the secret key and should be done server-side.

Common JWT Claims

iss (Issuer): Identifies who issued the token
sub (Subject): Identifies the subject of the token (usually the user ID)
aud (Audience): Identifies the recipients that the JWT is intended for
exp (Expiration Time): Timestamp after which the JWT should not be accepted
iat (Issued At): Timestamp when the JWT was issued
nbf (Not Before): Timestamp before which the JWT should not be accepted
jti (JWT ID): Unique identifier for the JWT

Common Use Cases

  • Debugging Authentication: Inspect JWTs to verify they contain the correct claims and data
  • Token Expiration: Check when a token was issued and when it expires
  • Development & Testing: Examine tokens during API development and integration testing
  • Security Audits: Review JWT structure and claims for security analysis
  • Integration Issues: Troubleshoot problems with third-party services using JWTs
  • Learning: Understand JWT structure and how authentication tokens work

FAQ

Yes, it's safe to decode JWTs in the browser because JWTs are not encrypted - they are only encoded. Anyone with the token can decode and read its contents. However, never share your JWTs publicly, and don't paste sensitive tokens into untrusted tools. This tool runs entirely in your browser and doesn't send your tokens anywhere.
No. Signature verification requires the secret key (for HMAC algorithms) or public key (for RSA algorithms). For security reasons, signature verification should always be done server-side. This tool only decodes and displays the JWT contents.
JWTs often include an "exp" (expiration) claim that specifies when the token should no longer be accepted. If the current time is past this expiration time, the token is considered expired and should be rejected by the server, even if the signature is valid.
Common reasons include: incomplete token (missing parts), invalid Base64 encoding, or the token might not be a JWT at all. Valid JWTs always have three parts separated by dots (.) and use Base64URL encoding.
Encoding (like Base64) is a reversible transformation that anyone can decode - it's not meant for security. Encryption scrambles data using a key and can only be decrypted with the correct key. JWTs are encoded, not encrypted, so their contents are visible to anyone. The signature ensures integrity, not confidentiality.

Security & Privacy

  • Client-Side Only: All decoding happens in your browser using JavaScript
  • No Server Requests: Your JWT tokens are never sent to any server
  • No Storage: Tokens are not saved or logged anywhere
  • Open Source: You can verify our code to ensure your data stays private

Warning: Never share your JWT tokens publicly or paste them into untrusted websites. JWTs often contain sensitive information and can be used to impersonate users if intercepted.

Usage Tips

  • Check token expiration before debugging authentication issues
  • Verify the algorithm (alg) in the header matches your server configuration
  • Look for custom claims specific to your application
  • Compare issued time (iat) with your server logs to track token creation
  • Use the copy buttons to easily share decoded sections (but be careful with sensitive data)
  • Bookmark this tool for quick access during development and debugging

Other Tools

Secure Password Generator

Generate strong, random passwords with customizable options

UUID Generator

Generate RFC4122 compliant unique identifiers

Base64 Encoder/Decoder

Encode text to Base64 or decode Base64 strings

URL Encoder/Decoder

Encode URLs and query parameters safely

JWT Decoder

Decode and inspect JSON Web Tokens

Slugify - URL Slug Generator

Convert text to SEO-friendly URL slugs

JSON Formatter

Format, validate, and beautify JSON data

Color Picker & Converter

Pick colors and convert between formats

Box-Shadow Generator

Create CSS box-shadows with live preview

Lorem Ipsum Generator

Generate placeholder text for designs

Text Diff Checker

Compare two texts and see differences instantly

Regex Tester

Test and debug regular expressions online