JWT Decoder
Inspect your JSON Web Token Header and Payload instantly and securely in your browser.
Important security note
• This decoder runs only in your browser. No token is sent to external servers.
• Never share JWT tokens that contain sensitive information.
• JWT tokens may contain personal information. Use them responsibly.
JWT Token
Result
Paste a JWT token in the field beside to decode it
Decoding history
About JWT tokens
What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWT structure
A JWT consists of three parts separated by dots (.):
- Header: contains the token type and signing algorithm (for example HS256, RS256).
- Payload: contains the claims, which are statements about an entity (usually the user) and additional metadata.
- Signature: is used to verify that the JWT sender is who it claims to be and to ensure the message was not altered in transit.
Standard claims
| Claim | Description |
|---|---|
| iss | Issuer - identifies who issued the token. |
| sub | Subject - identifies the subject of the token, usually the user. |
| aud | Audience - identifies the recipients for whom the token is intended. |
| exp | Expiration Time - timestamp after which the token is no longer valid. |
| nbf | Not Before - timestamp before which the token is not valid. |
| iat | Issued At - timestamp of when the token was issued. |
| jti | JWT ID - unique identifier for the token. |
Security
Important: this decoder only displays the content of the JWT token. It does not verify the signature or token validity.
JWT tokens can contain sensitive information. Never share tokens with third parties or in public places.
To verify a JWT signature, you need the secret key (for HMAC algorithms) or the public key (for RSA or ECDSA algorithms).
About the Decoder
Essential tool for debugging modern authentication (OAuth, OIDC).
Frequently Asked Questions
- **Do you save my token or verify the signature?** No. Everything runs purely in the browser and we only base64-decode the string; we don't verify the cryptographic signature.
Advanced JWT Decoder - Secure tool running 100% in your browser
Use for development, debugging, and learning about JWT authentication.