JWT Decoder
Decode and inspect JSON Web Tokens — header, payload, claims, and expiry status. 100% client-side.
AD 468×60
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting claims between parties. It consists of three Base64url-encoded parts separated by dots: Header, Payload, and Signature.
JWT Structure
- Header — specifies the token type (
JWT) and signing algorithm (HS256,RS256, etc.) - Payload — contains claims (statements about the user and metadata). Standard claims include
sub(subject),iat(issued at),exp(expiration),iss(issuer),aud(audience). - Signature — verifies the token hasn't been tampered with. Requires the secret key to verify.
Important Note on Security
The payload of a JWT is Base64-encoded, not encrypted. Never put sensitive information (passwords, credit card numbers) in a JWT payload unless you use JWE (JSON Web Encryption). This decoder only decodes — it does not verify the signature.
Frequently Asked Questions
Can this tool verify the JWT signature?
No — signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA), which is kept on the server. This tool only decodes and displays the token contents. To verify signatures, use your backend JWT library.
Is it safe to paste my JWT here?
All decoding happens in your browser — nothing is sent to any server. However, JWTs are sensitive credentials. Avoid pasting production tokens in any online tool. Use this only for development/debugging tokens.
What does "exp" mean in the payload?
exp is the "expiration time" claim — a Unix timestamp (seconds since Jan 1 1970) after which the token is no longer valid. This decoder automatically shows whether the token has expired.What's the difference between HS256 and RS256?
HS256 uses a shared secret (symmetric) — both signing and verification use the same key. RS256 uses a private/public key pair (asymmetric) — the server signs with the private key, and clients can verify with the public key without knowing the secret.