JWT Decoder

What is a JSON Web Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. The information is digitally signed, so it can be verified and trusted. JWTs are the dominant format for API authentication tokens and single sign-on (SSO) sessions.

JWT Structure

A JWT has three parts, separated by dots (.):

• Header — Specifies the token type (JWT) and the signing algorithm, e.g. HS256 (HMAC-SHA256) or RS256 (RSA-SHA256).
• Payload — Contains the claims: statements about the user and any additional metadata. Standard claims include sub (subject), iss (issuer), exp (expiration), and iat (issued at).
• Signature — Created by signing the encoded header and payload with the secret or private key. Used to verify the token has not been tampered with.

Each part is Base64URL-encoded (similar to Base64 but using - and _ instead of + and /, with no padding).

How to Use This JWT Decoder

1. Paste your JWT into the input box above.
2. Click Decode JWT. The header and payload are decoded and displayed immediately.
3. Check the expiry badge to see if the token has expired, and the claims table for key fields like issuer, subject, and audience.
4. Expand Raw JSON to see the full payload object.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature. JWTs are widely used for authentication and authorization in web APIs.

Is it safe to paste my JWT here?

This tool runs entirely in your browser — no data is sent to any server. However, JWTs are bearer tokens: anyone who holds a valid JWT can use it. Avoid pasting production JWTs with sensitive payloads into any online tool as a general practice. Use test or expired tokens when possible.

Can this tool verify a JWT signature?

No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for asymmetric algorithms like RS256). This tool only decodes the header and payload — it cannot tell you whether a token was legitimately issued or has been tampered with.

What are JWT claims?

Claims are statements about the subject encoded in the payload. Standard (registered) claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications can also define custom (private) claims.

What does the expiry status mean?

The exp claim contains a Unix timestamp representing when the token expires. This tool compares exp against your local clock. "Expired" means the current time is past exp — the token should be rejected by any properly implemented server. "Valid" means the token has not yet expired.