JWT Decoder

Decode and inspect JSON Web Tokens (JWT) to view header, payload, and claims

JWT Token Input

Header

{}

Payload (Claims)

{}

Signature (Base64URL)

The signature is used to verify that the token hasn't been tampered with. Verification requires the secret key and must be done server-side.

Security Warning: This tool only DECODES the JWT - it does NOT verify the signature. Never trust the contents of a JWT without proper signature verification on your server. JWTs can be decoded by anyone, but only verified with the secret key.

Understanding JWT Claims

iss (issuer): Who issued the token

sub (subject): Who the token is about (usually user ID)

aud (audience): Who the token is intended for

exp (expiration): When the token expires (Unix timestamp)

iat (issued at): When the token was created (Unix timestamp)

nbf (not before): Token not valid before this time

jti (JWT ID): Unique identifier for the token

About the JWT Decoder

Decode and inspect JSON Web Tokens (JWT) to view header, payload, and signature information. Essential for debugging authentication, understanding token claims, and troubleshooting API authorization issues.

Features:

Decode JWT header and payload
Display all token claims
Show token expiration time
Validate JWT structure
Pretty-printed JSON output
Copy decoded sections
Token expiration checker

Use Cases:

Debugging authentication issues
Inspecting API tokens
Understanding OAuth/OIDC tokens
Verifying token claims
Checking token expiration
Learning about JWT structure
API development and testing

JWT Structure:

A JWT consists of three parts separated by dots (.):

Header: Algorithm and token type
Payload: Claims (user data, permissions, expiration)
Signature: Verification signature (not decoded)

Security Note:

This tool only decodes the JWT - it does NOT verify the signature. Never trust JWT data without proper signature verification on your server. Decoding happens in your browser and tokens are not sent to any server.