JWT Decoder
Decode and inspect JSON Web Tokens (JWT) instantly.
Paste Your JWT
Token Structure
..
Header
Payload (Claims)
Signature
Base64 Encoded:
Note: This tool decodes but does not verify signatures. To verify, you need the secret key or public key used to sign the token.
About JSON Web Tokens (JWT)
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and authorization in web applications.
JWT Structure
A JWT consists of three parts separated by dots (.):
- Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256).
- Payload: Contains the claims—statements about an entity (user) and additional data.
- Signature: Used to verify the token wasn't tampered with. Created by signing the header and payload with a secret.
Common Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | The subject of the token (usually user ID) |
| aud | Audience | Intended recipient of the token |
| exp | Expiration | When the token expires (Unix timestamp) |
| iat | Issued At | When the token was issued |
| nbf | Not Before | Token not valid before this time |
Security Note
JWTs are encoded, not encrypted. Anyone can decode the header and payload. Never store sensitive information (like passwords) in a JWT. The signature only ensures the token hasn't been modified.
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes! This tool runs entirely in your browser. Your JWT is never sent to any server. All decoding happens client-side using JavaScript.
Can this tool verify my JWT signature?
This tool decodes and displays the JWT structure but does not verify the signature. Verification requires the secret key (for HMAC) or public key (for RSA/ECDSA) used to sign the token.
What's the difference between HS256 and RS256?
HS256 uses a shared secret key for both signing and verification (symmetric). RS256 uses a private key to sign and a public key to verify (asymmetric), which is more secure for distributed systems.
Why is my token showing as expired?
The exp claim in the payload is a Unix timestamp. If the current time is past this value, the token is expired. This is a security feature to limit token lifetime.
How do I create a JWT?
JWTs are typically created server-side using libraries like jsonwebtoken (Node.js), PyJWT (Python), or built-in functions in frameworks like Laravel or Spring.
Check Out Other Popular Tools
CPM Calculator
CPM stands for "Cost Per Mille" (Mille is Latin for thousand). It is a marketing term used to denote the price of 1,000 advertisement impressions on one webpage. If a website publisher charges $2.00 CPM, that means an advertiser must pay $2.00 for every 1,000 impressions of its ad.
Dog Name Generator
Find the paw-fect name for your canine companion! Generate unique names for dogs based on breed, color, and personality.
Open Graph Checker
Check your website's Open Graph meta tags and preview how your links will appear on social media.
Was this tool helpful?
Comments
Loading comments...