What is a JSON Web Token (JWT)?

JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are compact, URL-safe, and widely used for authentication and information exchange in modern web applications, APIs, and microservices architectures.

This free online JWT decoder allows you to instantly decode any JWT token to inspect its header and payload without requiring the secret key. It's an essential debugging tool for developers working with OAuth 2.0, OpenID Connect, API authentication, and session management.

Understanding JWT Structure

A JWT consists of three parts separated by dots (.), each encoded in Base64URL format:

header.payload.signature

1. Header

Contains metadata about the token type and signing algorithm (e.g., HS256, RS256). The header typically declares the token as a JWT and specifies the cryptographic algorithm used to generate the signature.

2. Payload (Claims)

Contains the claims—statements about the user and additional metadata. Standard claims include sub (subject), iat (issued at), exp (expiration), and iss (issuer).

3. Signature

Created by encoding the header and payload, then signing with a secret key. The signature ensures the token hasn't been tampered with and verifies the sender's identity.

How to Use This JWT Decoder

Paste Your JWT Token

Copy the complete JWT token from your application, API response, browser cookies, or authorization header and paste it into the input field.

View Decoded Content

The tool instantly decodes and displays the header and payload as formatted JSON. Check token status, algorithm, and expiration time at a glance.

Debug and Copy

Identify issues with token claims, verify user information, and copy individual parts for further analysis or documentation.

Standard JWT Claims Reference

JWTs use standardized claim names defined in RFC 7519. Here are the most common claims you'll encounter:

Claim	Name	Description
iss	Issuer	Identifies who issued the JWT
sub	Subject	The subject of the JWT (usually user ID)
aud	Audience	Recipients the JWT is intended for
exp	Expiration	Unix timestamp when the token expires
iat	Issued At	Unix timestamp when the token was issued
jti	JWT ID	Unique identifier for the token

Security Considerations

Important: This tool decodes JWTs entirely in your browser. Your tokens are never sent to any server, ensuring complete privacy. However, keep these security practices in mind:

Never share JWT tokens containing sensitive information publicly
JWTs are encoded, not encrypted—anyone can decode the payload
Always verify JWT signatures server-side before trusting claims
Use short expiration times and refresh token patterns for security

Common Use Cases

API Authentication

Debug authentication issues by inspecting access tokens, checking expiration times, and verifying user claims.

Development Testing

Verify token structure during development, ensure claims are correct, and troubleshoot OAuth flows.

Learning JWT

Understand JWT structure by decoding example tokens and seeing how headers and payloads are organized.

Security Auditing

Audit token contents for sensitive data exposure, verify algorithms, and check for security anti-patterns.

Frequently Asked Questions

Can you verify JWT signatures with this tool?

This tool decodes JWTs but doesn't verify signatures. Signature verification requires the secret key and should be done server-side for security.

Is it safe to paste tokens here?

Yes! All decoding happens locally in your browser. Tokens are never transmitted to any server. However, avoid sharing tokens in screenshots or logs.

What does an expired token mean?

When a JWT's exp claim is past the current time, the token should be rejected by servers. Users need to re-authenticate or use a refresh token.

JWT Decoder

JWT Token

Related Tools

Open Port Checker

SQL Formatter

SVG Optimizer

TOML Validator

URL Encoder/Decoder

UUID Generator