JWT Decoder

Decode and inspect JSON Web Tokens (JWT) to view their header and payload.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. JWTs consist of three Base64URL-encoded parts separated by dots: header.payload.signature.

JWT Structure

  1. Header — Contains the token type (JWT) and signing algorithm (e.g., HS256, RS256).
  2. Payload — Contains claims: data about the user or session. Standard claims include sub (subject), iat (issued at), exp (expiration).
  3. Signature — Verifies the token hasn't been tampered with. Created by signing the header and payload with a secret key.

Important: This tool only decodes the JWT — it does not verify the signature. Never trust a JWT's claims without verifying its signature on the server side.

Common JWT Claims

  • iss — Issuer of the token
  • sub — Subject (user identifier)
  • aud — Audience (intended recipient)
  • exp — Expiration time (Unix timestamp)
  • iat — Issued at (Unix timestamp)
  • nbf — Not before (Unix timestamp)

Frequently Asked Questions

Is it safe to decode a JWT in the browser?

Yes. The header and payload of a JWT are merely Base64URL-encoded, not encrypted. Anyone with the token can decode it. Security comes from the signature verification, not from hiding the payload.