JWT Decoder

Paste a JWT and instantly see the decoded header, payload, and expiration status. No tokens are sent to any server — everything runs in your browser.

Paste a JWT token above to decode it.

Reference

JSON Web Tokens (JWT)

A JWT (JSON Web Token) is a compact, URL-safe token format defined in RFC 7519. It consists of three base64url-encoded parts separated by dots: header.payload.signature. JWTs are widely used for authentication and information exchange between parties.

Structure

Header — a JSON object containing the token type (typ) and the signing algorithm (alg), e.g. HS256 or RS256. Payload — a JSON object containing claims: registered claims like iss (issuer), sub (subject), exp (expiration time), iat (issued at); and custom application claims. Signature — the result of signing the encoded header and payload with a secret or private key. It ensures the token has not been tampered with.

⚠ Security Note

Decoding is not the same as verifying. This tool decodes the token and displays its contents, but it does not verify the signature. Anyone can create a JWT with arbitrary claims. Never trust JWT claims without verifying the signature server-side using the appropriate secret or public key. Use a library like jsonwebtoken (Node.js) or PyJWT (Python) in production.

Registered JWT claims

RFC 7519 defines seven registered claims: iss (issuer) — who created the token. sub (subject) — the user or entity the token represents. aud (audience) — the intended recipient(s). exp (expiration time) — Unix timestamp after which the token is invalid. nbf (not before) — token is not valid before this time. iat (issued at) — when the token was created. jti (JWT ID) — a unique identifier to prevent replay attacks.

Privacy

All decoding runs 100% in your browser. No data is sent to a server.

← Back to all tools