A JWT (JSON Web Token) is a compact, URL-safe token used for authentication and authorization. It has three parts separated by dots: header (algorithm and type), payload (claims like user ID and expiration), and signature (cryptographic proof). The header and payload are Base64URL-encoded JSON. The signature ensures the token hasn't been tampered with.

Claims are statements about the user and metadata in the JWT payload. Standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Custom claims can include any application-specific data like roles or permissions.

What is the difference between JWT encoding and encryption?

JWT header and payload are Base64URL encoded, not encrypted. This means anyone can decode and read them. Encoding is just a format conversion. The signature provides integrity (proof the token wasn't modified) but not confidentiality. If you need encrypted tokens, use JWE (JSON Web Encryption).

What algorithms are used in JWT?

Common JWT algorithms include: HS256 (HMAC-SHA256, symmetric, same key for signing and verification), RS256 (RSA-SHA256, asymmetric, private key signs, public key verifies), ES256 (ECDSA-SHA256, asymmetric, smaller keys), and PS256 (RSA-PSS). RS256 is recommended for microservices where only the auth server should create tokens.

JWT Decoder & Inspector

Decode JWT tokens instantly. Inspect header, payload, claims, and expiration status

Use this free JWT decoder to decode and inspect JSON Web Tokens instantly. Decode JWT tokens online with color-coded visualization, human-readable timestamps, and expiration checking. Perfect for debugging authentication and API authorization issues. 100% client-side, your tokens never leave your browser.

Paste JWT Token

Standard JWT Claims

Registered Claims

`iss`	Issuer: who created the token
`sub`	Subject: user identifier
`aud`	Audience: intended recipient
`exp`	Expiration time (Unix timestamp)
`nbf`	Not before (Unix timestamp)
`iat`	Issued at (Unix timestamp)
`jti`	JWT ID: unique identifier

Common Algorithms

`HS256`	HMAC-SHA256 (symmetric)
`HS384`	HMAC-SHA384 (symmetric)
`RS256`	RSA-SHA256 (asymmetric)
`RS384`	RSA-SHA384 (asymmetric)
`ES256`	ECDSA-SHA256 (asymmetric)
`PS256`	RSA-PSS-SHA256 (asymmetric)
`none`	No signature (unsafe!)

JWT Guide

What is a JWT?

JWT (JSON Web Token) is a compact, URL-safe token format defined in RFC 7519. It's widely used for stateless authentication in web applications and APIs. A JWT carries user identity and claims without requiring the server to store session state.

JWTs are used by companies like Netflix, Spotify, and Uber to authenticate billions of API requests daily. Learn more in our deep dive: Why JWT Replaced Sessions.

JWT Structure: Three Parts

A JWT has three parts separated by dots: header.payload.signature

Header: Contains the algorithm (alg) and token type (typ). Base64URL encoded.
Payload: Contains claims (statements about the user and metadata like expiration time). Base64URL encoded. Not encrypted, anyone can read it.
Signature: Cryptographic hash of the header and payload, created with a secret key. Proves the token hasn't been tampered with.

JWT Security Best Practices

Use short expiration times: 15 minutes for access tokens. Use refresh tokens for longer sessions.
Store in httpOnly cookies: Prevents XSS attacks from accessing tokens via JavaScript.
Never put sensitive data in payload: Payloads are encoded, not encrypted. Anyone can decode them.
Specify allowed algorithms: Prevents algorithm confusion attacks. Always validate alg on the server.
Use RS256 for microservices: Only the auth service has the private key; other services verify with the public key.

For the complete guide, read Why JWT Replaced Sessions: Building Auth That Scales and How OAuth 2.0 Works.

Using This JWT Decoder

Paste a token: Paste any JWT token. The Bearer prefix is automatically stripped.
View decoded parts: Header and payload are displayed as formatted JSON with syntax highlighting.
Check expiration: The exp claim is automatically compared to the current time.
Inspect claims: All claims are listed with human-readable descriptions and timestamp formatting.
Copy JSON: Copy the decoded header or payload to clipboard with one click.

Note: This tool decodes tokens but does not verify signatures. Signature verification requires your secret key, which should never be shared with online tools.

JWT Decoder FAQ

What is a JWT token?

A JWT (JSON Web Token) is a compact, URL-safe token for authentication. It has three parts: header (algorithm), payload (claims like user ID and expiration), and signature (cryptographic proof). JWTs enable stateless authentication where the server doesn't store session data.

How do I decode a JWT token?

Paste your JWT token into the input area above. The tool automatically decodes the Base64URL-encoded header and payload, displaying them as formatted JSON. Timestamps are converted to human-readable dates and the expiration status is shown.

Is it safe to decode JWT tokens online?

This JWT decoder runs entirely in your browser. Your token is never sent to any server. However, JWT payloads are only encoded (not encrypted), so anyone with the token can read the payload. Never include sensitive data like passwords in JWT payloads.

What are JWT claims?

Claims are key-value pairs in the JWT payload. Standard claims include iss (issuer), sub (subject), exp (expiration), iat (issued at), and aud (audience). You can also add custom claims like role or permissions.

How do I check if a JWT is expired?

Paste your JWT into this tool. It reads the exp (expiration) claim and compares it to the current time, showing whether the token is expired or still valid, along with the exact expiration date.

Can this tool verify JWT signatures?

No. Signature verification requires your secret key (HS256) or public key (RS256), which you should never share with online tools. Use server-side libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).

What is the difference between HS256 and RS256?

HS256 (symmetric) uses the same secret key for signing and verification. Simpler, but all services need the key. RS256 (asymmetric) uses a private key to sign and a public key to verify. More secure for microservices since only the auth server has the private key.

Why is my JWT payload readable without the secret key?

JWT payloads are Base64URL-encoded, not encrypted. The signature ensures integrity (nobody modified the data), not confidentiality. If you need encrypted tokens, use JWE (JSON Web Encryption). This is why you should never store passwords or sensitive data in JWT payloads.