JWT Decoder - Decode JSON Web Tokens
Decode JSON Web Tokens instantly. Inspect header, payload, and signature locally in your browser.
HEADER Algorithm & Token Type
-
PAYLOAD Data
-
SIGNATURE Verification
-
What is a JWT Token?
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are digitally signed using a secret (HMAC) or public/private key pair (RSA or ECDSA), making them verifiable and trustworthy.
JWTs are commonly used for authentication (verifying user identity), authorization (determining access rights), and information exchange (securely sharing data between services).
JWT Structure Breakdown
Contains the token type and signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}
Contains claims (user data and metadata).
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
Verifies the token hasn't been tampered with.
HMACSHA256( base64(header) + "." + base64(payload), secret )
Common JWT Algorithms
| Algorithm | Type | Description | Use Case |
|---|---|---|---|
| HS256 | Symmetric | HMAC with SHA-256 | Single server, internal APIs |
| RS256 | Asymmetric | RSA with SHA-256 | Microservices, public APIs |
| ES256 | Asymmetric | ECDSA with P-256 curve | Mobile apps, IoT devices |
| PS256 | Asymmetric | RSA-PSS with SHA-256 | High-security environments |
Example JWTs to Try
A simple user authentication token with user ID, name, and admin role.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlIjoiYWRtaW4ifQ.4v7x8Jq5VZ8KQ3KLZ9NxzS8HdG4Mh2qOr6vYzBJJmKw
Token with standard claims: exp (expiration), iat (issued at), iss (issuer).
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzaW1wbGVkZXZ0b29scy50ZWNoIiwic3ViIjoiYXV0aCIsImF1ZCI6InVzZXJzIiwiZXhwIjoxNzA1MDAwMDAwLCJpYXQiOjE3MDQ5MTM2MDAsIm5hbWUiOiJKYW5lIFNtaXRoIn0.7X9KjW8mA3vLq0Rz8B5tP2sY4hN6cF1wE0jU3iK9oLm
OAuth-style token with scopes defining API access permissions.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcGktY2xpZW50LTEyMyIsInNjb3BlIjpbInJlYWQ6dXNlcnMiLCJ3cml0ZTpwb3N0cyJdLCJjbGllbnRfaWQiOiJteS1hcHAiLCJpYXQiOjE3MDQ5MTM2MDB9.Qp8R5sL2mN7vK3wX9yT0uA4zB1cD6eF8gH0jI2kM3nO
Frequently Asked Questions
How do I decode a JWT token?
Simply paste your JWT token into the input field above. Our decoder automatically splits the token into its three parts (header, payload, signature) and displays the decoded JSON. The header and payload are Base64URL encoded, which this tool decodes instantly. Note: The signature cannot be decoded—it's a cryptographic hash used for verification.
Is JWT decoding secure?
Decoding a JWT doesn't require any secret key—the header and payload are simply Base64 encoded, not encrypted. This means anyone can read the contents of a JWT. Never put sensitive data like passwords in a JWT payload. The signature ensures the token hasn't been tampered with, but it doesn't hide the data. Our tool processes everything locally in your browser, so your tokens never leave your device.
JWT vs Session Tokens: What's the difference?
| Aspect | JWT | Session Token |
|---|---|---|
| Storage | Client-side (stateless) | Server-side (stateful) |
| Scalability | Highly scalable | Requires session store |
| Revocation | Difficult (until expiry) | Easy (delete from store) |
| Size | Larger (contains data) | Smaller (just an ID) |
What are common JWT claims?
Standard (registered) claims defined in RFC 7519:
iss(Issuer) - Who created the tokensub(Subject) - Who the token is aboutaud(Audience) - Intended recipientsexp(Expiration) - When the token expires (Unix timestamp)iat(Issued At) - When the token was creatednbf(Not Before) - Token not valid before this timejti(JWT ID) - Unique identifier for the token
How do I verify a JWT signature?
Signature verification requires the secret key (for symmetric algorithms like HS256) or the public key (for asymmetric algorithms like RS256). Our decoder displays but doesn't verify the signature since verification requires the secret. To verify: decode the header to get the algorithm, concatenate the encoded header and payload with a period, then use your secret/key to compute the expected signature and compare it with the token's signature.