JWT Decoder-- Decode & Inspect JWT Tokens

Decode JWT tokens to view header, payload claims, and signature instantly.

Paste JWT token to decode

Decoded JWT

Why Use Our JWT Decoder?

Full Decode

View header, payload claims, and signature separately.

Formatted JSON

Header and payload displayed as pretty-printed JSON.

No Verification

Inspect tokens without needing the secret key.

100% Private

All processing happens in your browser. Tokens never leave your device.

One-Click Copy

Copy decoded output to clipboard instantly.

Free Forever

No signup, no limits. Decode unlimited JWT tokens free.

Other Encoding Tools

Base64 Encode

Encode text to Base64 format

Base64 Decode

Decode Base64 back to text

Base64 Image

Convert images to Base64 data URIs

URL Encode

Percent-encode text for URLs

URL Decode

Decode percent-encoded URL text

URL Parser

Parse URLs into components

Query Builder

Build URL query strings

HTML Encode

Encode special chars to HTML entities

HTML Decode

Decode HTML entities back to text

JWT Builder

Build JWT tokens from JSON

Unicode Escape

Escape/unescape Unicode sequences

Hex Encode

Encode/decode hexadecimal

ROT13

ROT13 cipher encoder/decoder

Complete JWT Decoding Guide

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. JWTs are widely used for authentication, authorization, and information exchange in modern web applications and APIs.

A JWT consists of three parts separated by dots: header.payload.signature. Each part is base64url-encoded. The header specifies the token type and signing algorithm. The payload contains claims (user data and metadata). The signature ensures the token hasn't been tampered with.

Our JWT decoder parses the token and displays the header and payload as formatted JSON, along with the raw signature string. This is essential for debugging authentication issues, verifying token contents during development, and understanding what data a JWT carries. All decoding happens locally in your browser.

Important: JWT payloads are encoded, not encrypted. Anyone with the token can read its contents. Never put sensitive secrets in JWT payloads. Use JWE (JSON Web Encryption) if payload confidentiality is required.

Understanding the three-part structure of JWT tokens is essential for working with modern authentication systems:

Header (JOSE Header)

Contains token metadata: 'alg' (algorithm like HS256, RS256, ES256), 'typ' (usually "JWT"), and optionally 'kid' (key ID for key rotation). The header determines how the signature is created and verified.

Payload (Claims)

Contains the actual data. Registered claims include 'iss' (issuer), 'sub' (subject), 'aud' (audience), 'exp' (expiration), 'nbf' (not before), 'iat' (issued at), 'jti' (JWT ID). Custom claims carry application-specific data like user roles, permissions, and profile info.

Signature

Created by signing the encoded header and payload with a secret (HMAC) or private key (RSA/ECDSA). Verification requires the same secret or the corresponding public key. Prevents token tampering.

The three parts are each base64url-encoded (a URL-safe variant of base64 that replaces + with -, / with _, and removes padding =) and joined with dots. This produces a compact string suitable for HTTP headers, URL parameters, and cookies.

API Authentication

JWTs in Authorization headers (Bearer tokens) authenticate API requests. Stateless verification means servers don't need session storage.

Single Sign-On (SSO)

JWTs carry user identity across services. One login produces a token that all connected services accept, enabling seamless SSO experiences.

OAuth 2.0 / OIDC

OpenID Connect (OIDC) uses JWTs as ID tokens. OAuth 2.0 access tokens are often JWTs containing scopes and permissions.

Microservices Communication

JWTs propagate user context across microservices. Each service verifies the token independently without calling an auth server.

Email Verification Links

JWTs in email verification URLs carry the user ID and expiration. Self-contained tokens eliminate the need for database lookup.

Password Reset Tokens

Time-limited JWTs with user ID and purpose claims provide secure, self-expiring password reset tokens without server-side state.

JWTs are powerful but require careful implementation. Follow these security best practices to avoid common vulnerabilities:

Always verify signatures: Never trust a JWT without verifying its signature using the correct key. The 'alg: none' attack exploits libraries that skip verification.
Set short expiration times: Use the 'exp' claim with short lifetimes (15 minutes for access tokens). Combine with refresh tokens for longer sessions.
Don't store sensitive data in payloads: JWT payloads are readable by anyone. Never include passwords, credit card numbers, or other secrets. Use JWE for confidential data.
Use strong signing keys: For HMAC algorithms, use at least 256-bit secrets. For RSA, use at least 2048-bit keys. Rotate keys periodically using the 'kid' header.

Our decoder is designed for inspection and debugging only. In production systems, always verify JWT signatures server-side using well-maintained libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).

What is a JWT token?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three base64url-encoded parts separated by dots: header, payload, and signature.

Does this decoder verify the signature?

No, this tool decodes and displays the JWT contents without verifying the cryptographic signature. Signature verification requires the secret key or public key, which should never be shared publicly. Use this for inspection only.

What information is in a JWT header?

The header typically contains two fields: 'alg' (the signing algorithm like HS256, RS256) and 'typ' (the token type, usually 'JWT'). Some headers also include 'kid' (key ID) for key rotation scenarios.

What is the JWT payload?

The payload contains claims - statements about the user and additional metadata. Standard claims include 'sub' (subject), 'iss' (issuer), 'exp' (expiration time), 'iat' (issued at), 'aud' (audience), and custom claims specific to your application.

Is it safe to decode JWT tokens here?

Yes, all processing happens locally in your browser. The token is never transmitted to any server. However, remember that JWT payloads are only base64-encoded, not encrypted - anyone with the token can read its contents.

Why can I read JWT contents without the secret key?

JWT payloads are base64url-encoded, not encrypted. The signature prevents tampering but doesn't hide content. For sensitive data, use JWE (JSON Web Encryption) instead of or in addition to JWS (JSON Web Signature).

What does the signature part do?

The signature ensures the token hasn't been tampered with. It's created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA/ECDSA). Only the issuer can create valid signatures.

How do I check if a JWT is expired?

Decode the token and check the 'exp' (expiration) claim in the payload. It's a Unix timestamp. Compare it to the current time - if current time exceeds 'exp', the token is expired.

What algorithms are commonly used in JWTs?

Common algorithms include HS256 (HMAC-SHA256, symmetric), RS256 (RSA-SHA256, asymmetric), ES256 (ECDSA-SHA256, asymmetric). HS256 uses a shared secret; RS256 and ES256 use public/private key pairs.

Can I modify a JWT token?

You can decode and read it, but modifying the payload invalidates the signature. Without the secret/private key, you cannot create a valid signature for modified content. This is the security guarantee of JWT.

What is the difference between JWT and JWE?

JWT (JWS) signs data for integrity but content is readable by anyone. JWE encrypts the payload so only authorized parties with the decryption key can read it. Use JWE when payload confidentiality is required.

How do I build a JWT token?

Use our JWT Builder tool to create unsigned JWT tokens from header and payload JSON. For production use, sign tokens server-side using libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).

JWT Decoder Tool

Why Use Our JWT Decoder?

Other Encoding Tools

Complete JWT Decoding Guide