← All tools Dev Tools

JWT Decoder

Decode and inspect JSON Web Tokens — header, payload, and signature. Check expiry status instantly.

100% client-side

Your JWT token is decoded entirely in your browser. Nothing is transmitted to any server. Signature verification is not performed as it requires the signing secret or key.

Understanding JSON Web Tokens

JSON Web Tokens have become the standard for authentication and authorization in modern web applications. A JWT encodes a set of claims as a JSON object and signs it to ensure integrity. The token travels with each request, allowing servers to verify the user's identity without querying a database on every call.

A JWT consists of three parts separated by dots: the header specifies the signing algorithm, the payload contains the claims (data), and the signature verifies that the token has not been tampered with.

Anatomy of a JWT

Header

Contains the token type (JWT) and signing algorithm (HS256, RS256, etc.). Base64URL-encoded JSON.

Payload

Contains the claims — user data, permissions, expiry time, and any custom fields. Also Base64URL-encoded.

Signature

Created by signing the header and payload with a secret key. Prevents tampering but does not encrypt the data.

Important security note

JWTs are signed, not encrypted. Anyone with the token can read the payload. Never store sensitive data like passwords or credit card numbers in JWT claims.

Common JWT Claims

The JWT specification defines several registered claims: iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before). Applications also add custom claims like user roles, permissions, tenant IDs, and feature flags.

Frequently Asked Questions

What is a JSON Web Token?

A compact, URL-safe token format for transmitting claims between parties. It has three Base64URL-encoded parts: header, payload, and signature.

Can this tool verify JWT signatures?

No. Signature verification requires the secret/public key. This tool only decodes the header and payload, which are readable without a key.

Is it safe to paste my JWT here?

Yes. The tool runs entirely in your browser. The token is never sent to any server. Avoid pasting production tokens in shared environments.

What are common JWT claims?

Standard claims include iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before). Custom claims can include roles and permissions.

How can I tell if a JWT has expired?

The exp claim contains a Unix timestamp. This tool checks it automatically and shows whether the token is valid or expired.

Related Tools

Cron Job GeneratorDev ToolsBase64 EncoderDev ToolsMarkdown to HTMLDev ToolsUUID/GUID GeneratorDev Tools