Tool
JWT Decoder
Decode and inspect JSON Web Tokens — header, payload, expiry status, and claims.
Decoding only — signatures are not verified. Never paste tokens from production systems into online tools. This tool runs entirely in your browser; no data is sent to any server.
About
What is a JSON Web Token?
A JWT (JSON Web Token) is a compact, URL-safe token format defined in RFC 7519 for transmitting claims between parties. It consists of three Base64URL-encoded segments separated by dots: a header declaring the algorithm, a payload containing the claims, and a cryptographic signature.
JWTs are the dominant authentication token format in modern web applications and APIs. They allow stateless authentication — the server doesn't need to store session data because all necessary information is self-contained in the token and verified by signature.
This tool decodes tokens using all common signing algorithms: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, and ES512. All processing happens in your browser — no token is transmitted to any server.
Claims Reference
Standard JWT Claims Explained
sub — Subject
Identifies the principal — typically a user ID. Must be unique per issuer. This is the primary claim for identifying who the token was issued to.
iss — Issuer
Identifies the server or service that issued the token. Consumers should verify this matches the expected authority before trusting the token.
exp — Expiration
Unix timestamp after which the token must be rejected. Tokens without an exp claim are valid indefinitely — a common misconfiguration in dev environments.
iat — Issued At
Unix timestamp of when the token was created. Used with exp to determine the token's lifetime and detect tokens issued in the future.
aud — Audience
Identifies the intended recipients. A token issued for one service should be rejected if presented to a different service — the aud claim enforces this.
jti — JWT ID
A unique identifier for the token, used to prevent replay attacks. Services can store used JTIs until expiry to detect reuse of one-time tokens.
FAQ
Frequently Asked Questions
What is a JWT?+
A JSON Web Token is a compact, URL-safe token representing claims between parties. Three Base64URL-encoded parts separated by dots: header (algorithm), payload (claims), and signature. Defined in RFC 7519.
Is it safe to decode a JWT here?+
Yes — everything runs in your browser. The header and payload of a JWT are only Base64URL-encoded, not encrypted. Anyone who can read the token can decode it. The signature protects against tampering but does not hide the claims.
What is the difference between HS256 and RS256?+
HS256 uses a shared symmetric secret — anyone with it can sign and verify. RS256 uses asymmetric RSA keys — private key signs, public key verifies. RS256 is preferred for systems where multiple services verify tokens without issuing them.
What does the exp claim mean?+
The 'exp' claim is a Unix timestamp after which the token is invalid. Most libraries enforce this automatically. Tokens with no exp claim never expire — a common and dangerous misconfiguration.
Can I verify the signature here?+
This tool decodes header and payload without signature verification. To verify, you need the signing secret (HS256) or public key (RS256/ES256). Signature verification should always happen server-side where keys are securely stored.