JWT Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, and signature information.

Keyboard Shortcuts:

  • Ctrl/Cmd + Enter - Decode JWT

Privacy: JWT decoding happens entirely in your browser using base64url decoding. No tokens are sent to any server.

Note: This tool only decodes and displays JWT information. It does not verify the signature. JWT tokens are not encrypted - anyone can decode them. Never store sensitive information in a JWT payload.

About JSON Web Tokens (JWT)

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and information exchange in web applications. They consist of three parts separated by dots: header, payload, and signature.

JWT Structure:

  • Header: Token type and signing algorithm (e.g., HS256, RS256)
  • Payload: Claims about the user and metadata (sub, name, iat, exp, etc.)
  • Signature: Cryptographic signature to verify token integrity

Common Use Cases:

  • User authentication and authorization
  • Single Sign-On (SSO) implementations
  • API access tokens
  • Secure information exchange
  • Stateless session management
  • OAuth 2.0 and OpenID Connect

Standard JWT Claims:

iss Issuer: Who issued the token

sub Subject: Who the token is about (usually user ID)

aud Audience: Who the token is intended for

exp Expiration Time: When the token expires (Unix timestamp)

iat Issued At: When the token was created (Unix timestamp)

nbf Not Before: Token not valid before this time

jti JWT ID: Unique identifier for the token

Common Signing Algorithms:

  • HS256 - HMAC with SHA-256 (symmetric, shared secret)
  • RS256 - RSA Signature with SHA-256 (asymmetric, public/private key)
  • ES256 - ECDSA with P-256 and SHA-256 (asymmetric, elliptic curve)
  • PS256 - RSA PSS with SHA-256 (asymmetric, probabilistic signature)

Security Warning: This tool only decodes JWTs - it does not verify signatures. JWTs are encoded but NOT encrypted - anyone can decode and read the payload. Never store sensitive information (passwords, credit cards, etc.) in JWT claims. Always verify JWT signatures on the server before trusting the data. Expired tokens should be rejected by your application.

JWT Best Practices:

  • Always verify the signature on the server side
  • Use strong secret keys (at least 256 bits for HS256)
  • Set appropriate expiration times (short-lived tokens are more secure)
  • Never store sensitive data in the payload
  • Use HTTPS to transmit tokens
  • Store tokens securely (httpOnly cookies or secure storage)
  • Implement token refresh mechanisms
  • Validate all claims (iss, aud, exp, etc.)
  • Use RS256 or ES256 for better security than HS256