JWT Decoder

Decode JWT tokens

JWT Token

Header

How to use the JWT Decoder

  1. Paste your JWT token into the input field. A JWT is a long string of characters with two dots separating three parts (header, payload, and signature).
  2. View the decoded header which shows the signing algorithm (e.g., HS256, RS256) and token type.
  3. Inspect the decoded payload which contains the claims: data like user ID, roles, expiration time, and any custom fields your application includes.
  4. Check token expiration shown in a human-readable format. The tool highlights whether the token is expired based on the exp claim.
  5. Review the signature section, which shows the raw signature. Note that this tool does not verify signatures since that would require the secret key.

What are JSON Web Tokens (JWTs)?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format defined by RFC 7519. JWTs are the de facto standard for transmitting claims (pieces of information) between parties in modern web applications, particularly for authentication and authorization.

A JWT consists of three parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g., HMAC SHA-256 or RSA) and token type. The payload contains the claims, which are statements about the user and metadata. The signature verifies that the token has not been tampered with.

Both the header and payload are Base64url-encoded JSON objects. This means anyone can decode and read them, which is why JWTs should never contain sensitive information like passwords. The signature is what provides integrity: if anyone modifies the header or payload, the signature will not match, and the token will be rejected by the server.

Standard claims include iss (issuer), sub (subject, usually the user ID), aud (audience), exp (expiration time as a Unix timestamp), nbf (not before), iat (issued at), and jti (JWT ID). Applications can add any custom claims they need.

JWTs are stateless: the server does not need to store session data because all the necessary information is in the token itself. This makes JWTs ideal for distributed systems and microservices, where session sharing between servers is difficult. However, this statelessness also means that revoking a JWT before it expires requires additional infrastructure like a token blacklist.

Common use cases

  • Authentication debugging: When troubleshooting login issues, decoding the JWT reveals the user ID, roles, expiration time, and issuer, helping you pinpoint authentication problems quickly.
  • API development: When building or consuming APIs that use JWT-based authentication, inspecting tokens helps verify that the correct claims are being included.
  • Security auditing: Reviewing JWTs helps ensure that tokens do not contain sensitive information in the payload and that appropriate expiration times are set.
  • OAuth and OIDC flows: OAuth 2.0 and OpenID Connect use JWTs extensively. Decoding ID tokens and access tokens is essential for debugging these flows.

FAQ

Can this tool verify JWT signatures? No. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), which only the token issuer has. This tool decodes the token contents for inspection but does not validate authenticity.

Is it safe to paste JWTs into online tools? With this tool, yes, because all processing happens in your browser and nothing is sent to any server. However, you should be cautious with other online tools. A JWT is a bearer token: anyone who has it can potentially impersonate the user until it expires.

Why does my JWT have such a long payload? JWTs should contain only essential claims. If your payload is very large, review whether all the included data is necessary. Large JWTs increase the size of every HTTP request since they are sent in the Authorization header.

Is my data safe?

Yes. This tool runs entirely in your browser. Your data is never sent to our servers. JWT decoding is simply Base64url decoding followed by JSON parsing, all performed locally. Your tokens never leave your device.

How to use the JWT Decoder

  1. Paste your JWT token into the input field. A JWT is a long string of characters with two dots separating three parts (header, payload, and signature).
  2. View the decoded header which shows the signing algorithm (e.g., HS256, RS256) and token type.
  3. Inspect the decoded payload which contains the claims: data like user ID, roles, expiration time, and any custom fields your application includes.
  4. Check token expiration shown in a human-readable format. The tool highlights whether the token is expired based on the exp claim.
  5. Review the signature section, which shows the raw signature. Note that this tool does not verify signatures since that would require the secret key.

What are JSON Web Tokens (JWTs)?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format defined by RFC 7519. JWTs are the de facto standard for transmitting claims (pieces of information) between parties in modern web applications, particularly for authentication and authorization.

A JWT consists of three parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g., HMAC SHA-256 or RSA) and token type. The payload contains the claims, which are statements about the user and metadata. The signature verifies that the token has not been tampered with.

Both the header and payload are Base64url-encoded JSON objects. This means anyone can decode and read them, which is why JWTs should never contain sensitive information like passwords. The signature is what provides integrity: if anyone modifies the header or payload, the signature will not match, and the token will be rejected by the server.

Standard claims include iss (issuer), sub (subject, usually the user ID), aud (audience), exp (expiration time as a Unix timestamp), nbf (not before), iat (issued at), and jti (JWT ID). Applications can add any custom claims they need.

JWTs are stateless: the server does not need to store session data because all the necessary information is in the token itself. This makes JWTs ideal for distributed systems and microservices, where session sharing between servers is difficult. However, this statelessness also means that revoking a JWT before it expires requires additional infrastructure like a token blacklist.

Common use cases

  • Authentication debugging: When troubleshooting login issues, decoding the JWT reveals the user ID, roles, expiration time, and issuer, helping you pinpoint authentication problems quickly.
  • API development: When building or consuming APIs that use JWT-based authentication, inspecting tokens helps verify that the correct claims are being included.
  • Security auditing: Reviewing JWTs helps ensure that tokens do not contain sensitive information in the payload and that appropriate expiration times are set.
  • OAuth and OIDC flows: OAuth 2.0 and OpenID Connect use JWTs extensively. Decoding ID tokens and access tokens is essential for debugging these flows.

FAQ

Can this tool verify JWT signatures? No. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), which only the token issuer has. This tool decodes the token contents for inspection but does not validate authenticity.

Is it safe to paste JWTs into online tools? With this tool, yes, because all processing happens in your browser and nothing is sent to any server. However, you should be cautious with other online tools. A JWT is a bearer token: anyone who has it can potentially impersonate the user until it expires.

Why does my JWT have such a long payload? JWTs should contain only essential claims. If your payload is very large, review whether all the included data is necessary. Large JWTs increase the size of every HTTP request since they are sent in the Authorization header.

Is my data safe?

Yes. This tool runs entirely in your browser. Your data is never sent to our servers. JWT decoding is simply Base64url decoding followed by JSON parsing, all performed locally. Your tokens never leave your device.