What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are widely used for authentication, authorization, and information exchange in web APIs.

Is decoding a JWT the same as verifying it?

No. Decoding a JWT simply reads the header and payload, which are only Base64URL-encoded (not encrypted). Anyone can decode a JWT. Verification checks the signature using the secret key or public key to ensure the token hasn't been tampered with. This tool decodes tokens for inspection but does not verify signatures.

Is it safe to paste JWTs into this tool?

Yes. This tool runs 100% in your browser — no data is sent to any server. However, JWTs may contain sensitive claims. Always be cautious about sharing JWTs, as they can be replayed if still valid.

What are common JWT claims?

Standard claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications often add custom claims like user roles, permissions, email, and organization ID.

JWT Decoder

Decode and inspect JSON Web Tokens. View header, payload, claims, and expiration status. 100% client-side — nothing leaves your browser.

Token

Paste a JWT (eyJhbG...) — it will be auto-decoded on paste.

Header

Decoded header will appear here...

Payload

Decoded payload will appear here...

Claims

Parsed claims will appear here...

Related tools

Frequently Asked Questions

A JWT is a compact token format (RFC 7519) used to securely transmit information between parties. It has three parts separated by dots: a Base64URL-encoded header (algorithm info), payload (claims), and signature. JWTs are stateless and commonly used for API authentication, single sign-on (SSO), and authorization.

No. The header and payload are only Base64URL-encoded, not encrypted. Anyone can decode them. Verification involves checking the cryptographic signature using the issuer's secret or public key to ensure the token hasn't been modified. This tool decodes for inspection only.

The exp claim is a Unix timestamp indicating when the token expires. If the current time is past this value, the token is expired. Most APIs reject expired tokens. Check the "issued at" (iat) and "not before" (nbf) claims to understand the token's validity window.

Navigation

Header

Payload

Claims

Frequently Asked Questions

What is a JSON Web Token (JWT)?

Is decoding a JWT the same as verifying it?

Why is my JWT expired?