JWT Decoder
Decode and inspect JSON Web Tokens (JWT) instantly.
Paste Your JWT
Token Structure
..
Header
Payload (Claims)
Signature
Base64 Encoded:
Note: This tool decodes but does not verify signatures. To verify, you need the secret key or public key used to sign the token.
About JSON Web Tokens (JWT)
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and authorization in web applications.
JWT Structure
A JWT consists of three parts separated by dots (.):
- Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256).
- Payload: Contains the claims—statements about an entity (user) and additional data.
- Signature: Used to verify the token wasn't tampered with. Created by signing the header and payload with a secret.
Common Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | The subject of the token (usually user ID) |
| aud | Audience | Intended recipient of the token |
| exp | Expiration | When the token expires (Unix timestamp) |
| iat | Issued At | When the token was issued |
| nbf | Not Before | Token not valid before this time |
Security Note
JWTs are encoded, not encrypted. Anyone can decode the header and payload. Never store sensitive information (like passwords) in a JWT. The signature only ensures the token hasn't been modified.
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes! This tool runs entirely in your browser. Your JWT is never sent to any server. All decoding happens client-side using JavaScript.
Can this tool verify my JWT signature?
This tool decodes and displays the JWT structure but does not verify the signature. Verification requires the secret key (for HMAC) or public key (for RSA/ECDSA) used to sign the token.
What's the difference between HS256 and RS256?
HS256 uses a shared secret key for both signing and verification (symmetric). RS256 uses a private key to sign and a public key to verify (asymmetric), which is more secure for distributed systems.
Why is my token showing as expired?
The exp claim in the payload is a Unix timestamp. If the current time is past this value, the token is expired. This is a security feature to limit token lifetime.
How do I create a JWT?
JWTs are typically created server-side using libraries like jsonwebtoken (Node.js), PyJWT (Python), or built-in functions in frameworks like Laravel or Spring.
Check Out Other Popular Tools
Zakat Calculator
Calculate your Zakat accurately. Gold, Silver, Cash, and Business Assets supported. Free calculation with custom Nisab settings.
Christian Tithing Calculator
Calculate your 10% tithe and allocate offerings to church, missions, and charity. Supports gross vs net income calculations.
H1 Tag Checker
Check your H1 tag for SEO compliance. Analyze count, length, and keyword optimization instantly.
Was this tool helpful?
Comments
Loading comments...