JWT Decoder

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in web applications and APIs.

JWT Structure

A JWT consists of three parts separated by dots (.):

header.payload.signature

1. Header: Contains token type (JWT) and signing algorithm (HS256, RS256, etc.)
2. Payload: Contains claims (user data, permissions, expiration, etc.)
3. Signature: Cryptographic signature to verify the token hasn't been tampered with

How to Use This Tool

Decode a JWT Token

1. Paste your JWT in the input field (the entire header.payload.signature string)
2. Click Decode to extract and parse the token
3. View the decoded Header JSON (left panel) showing algorithm and token type
4. View the decoded Payload JSON (right panel) showing claims like sub, exp, iat, custom data
5. View the Signature segment at the bottom (base64url-encoded, not verified)
6. Click Copy next to Header or Payload to copy the JSON individually
7. Use Clear to reset and decode another token
8. Try Sample Token to see a demo JWT

Important Note

⚠️ This tool ONLY decodes tokens locally in your browser. It does NOT:

• Verify signatures (check if the token is authentic)
• Validate expiration (exp claim)
• Check issuer (iss) or audience (aud)
• Send data to any server

For signature verification, use a proper JWT library with access to the secret key or public key.

Common Use Cases

• Debug Authentication: Inspect JWTs from API responses to see user claims
• Check Token Expiration: View exp (expiration) and iat (issued at) timestamps
• Verify Permissions: See roles, scopes, or custom claims embedded in tokens
• API Testing: Decode tokens from OAuth flows, login responses, or bearer tokens
• Learn JWT Structure: Understand how JWTs encode data in base64url format
• Troubleshoot Authorization: Check if expected claims are present in tokens

Common JWT Claims

• sub (Subject): User ID or identifier
• iss (Issuer): Who issued the token (e.g., auth0.com)
• aud (Audience): Intended recipient(s) of the token
• exp (Expiration): Unix timestamp when token expires
• iat (Issued At): Unix timestamp when token was created
• nbf (Not Before): Token is not valid before this time
• jti (JWT ID): Unique identifier for the token
• Custom claims: email, roles, permissions, name, etc.

Security Reminders

• Never trust decoded data without verification—anyone can create a JWT with any claims
• Signature verification requires the secret key—this tool cannot verify signatures
• JWTs are encoded, NOT encrypted—anyone can decode and read the payload
• Don't store sensitive data in JWTs—payloads are publicly readable
• Always use HTTPS—JWTs in transit should be encrypted at the transport layer
• Validate exp/iat/nbf claims—check token expiration and validity in your backend

Tips

• Copy the decoded JSON to analyze claims in your code editor
• Check the alg (algorithm) in the header—none is insecure and should never be used in production
• Unix timestamps (exp, iat) can be converted to human-readable dates using tools or new Date(exp * 1000)
• If you see "Invalid JWT" errors, ensure you copied the entire token including all three segments