JWT Decoder
Paste a JWT token and instantly see the decoded header, payload, and claims. Free, client-side, no signup.
This tool decodes JWTs client-side. It does NOT verify signatures. Never paste tokens containing sensitive data on untrusted websites.
What Is a JWT?
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are digitally signed using a secret (HMAC) or a public/private key pair (RSA or ECDSA), which means the information can be verified and trusted.
JWTs are widely used for authentication and authorization in web applications. After a user logs in, the server issues a JWT that the client includes in subsequent requests, typically in theAuthorization header as a Bearer token.
JWT Structure
A JWT consists of three parts separated by dots (.): the header, payload, and signature.
| Part | Contains | Encoding | Example Fields |
|---|---|---|---|
| Header | Token type and signing algorithm | Base64URL-encoded JSON | alg, typ |
| Payload | Claims (user data, permissions, metadata) | Base64URL-encoded JSON | sub, name, iat, exp |
| Signature | Verification hash | Base64URL-encoded binary | HMAC-SHA256 or RSA signature |
Common JWT Claims
| Claim | Full Name | Description |
|---|---|---|
iss | Issuer | Who issued the token (e.g., your auth server URL) |
sub | Subject | The user or entity the token represents |
aud | Audience | Intended recipient(s) of the token |
exp | Expiration Time | Unix timestamp when the token expires |
iat | Issued At | Unix timestamp when the token was created |
nbf | Not Before | Unix timestamp before which the token is not valid |
jti | JWT ID | Unique identifier for the token (prevents replay attacks) |
How JWT Authentication Works
- User logs in -- the client sends credentials to the server.
- Server creates a JWT -- encodes the user's identity and permissions into the payload, signs it, and returns it.
- Client stores the JWT -- typically in memory, a cookie, or localStorage.
- Client sends JWT with requests -- usually in the
Authorization: Bearer <token>header. - Server validates the JWT -- verifies the signature, checks expiration, and extracts user data.
Frequently Asked Questions
Is this JWT decoder safe to use?
Yes. All decoding happens in your browser using JavaScript. No data is sent to any server. However, you should never paste production tokens containing sensitive data into any online tool you do not trust.
Does this tool verify JWT signatures?
No. This tool decodes the JWT to show you the header and payload, but it does not verify the cryptographic signature. Signature verification requires the signing secret or public key.
Why is my JWT showing as expired?
The tool compares the exp claim (expiration time) against the current time on your device. If the token's expiration timestamp is in the past, it displays an expiration warning. This is expected for tokens that are no longer valid.
What is Base64URL encoding?
Base64URL is a variant of Base64 that is safe for use in URLs. It replaces + with -,/ with _, and omits padding = characters. JWTs use Base64URL to encode the header and payload.
Can I decode JWTs without this tool?
Yes. Since the header and payload are just Base64URL-encoded JSON, you can decode them with any Base64 decoder or with a single line of JavaScript: JSON.parse(atob(token.split('.')[1])). This tool simply makes the process faster and adds human-readable labels for common claims.