JWT Decoder

Paste a JWT and instantly see its header, payload and signature.

..
{{ __t('section_header') }} 

                        


                        

                            

                                {{ __t('section_payload') }}
                                
                            

                            


                            

                                
{{ __t('claims_heading') }}

                                

                                    

                                    

                                        
                                        
                                    

                                

                            

                        


                        

                            

                                {{ __t('section_signature') }}
                                
                            

                            

                            

                                {{ __t('signature_note') }}
                            

                        


                    


                    

                        
                        
{{ __t('empty_state') }}

                    

                


            

        

    


    
    

        

            

                
What is a JWT?

                
A JSON Web Token (JWT, RFC 7519) is an open standard for securely transmitting claims between two parties in a compact, URL-safe format. JWTs are used in modern web APIs for authentication and authorization — for example, after login to identify the user on every subsequent request.

                
Important: A JWT is not encrypted, only signed. Anyone who possesses the token can read its contents. Never store passwords or sensitive data in the payload.


                
Structure of a JWT

                
    
                    
  • Header — describes the token type (typ) and the signing algorithm (alg), e.g. HS256, RS256.
    • 
                    
  • Payload — contains the claims (data points) as JSON, base64url-encoded. Both standard and custom claims are allowed.
    • 
                    
  • Signature — cryptographic signature over header + payload, created with the algorithm specified in alg.
    • 
                


                
Standard claims (RFC 7519)

                
    
                    
  • iss — Issuer (who issued the token)
    • 
                    
  • sub — Subject (typically the user ID)
    • 
                    
  • aud — Audience (intended recipient of the token)
    • 
                    
  • exp — Expiration Time (expiry as a Unix timestamp)
    • 
                    
  • iat — Issued At (when the token was issued)
    • 
                    
  • nbf — Not Before (not valid before this time)
    • 
                


                
Is this tool secure?

                
Yes. Decoding happens entirely in your browser with JavaScript. No token is sent to any server and nothing is logged. You can inspect the implementation in your browser's developer tools at any time. Still, only paste production tokens in trusted environments.