JWT Decoder

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. It is commonly used for authentication and authorization in web applications. When a user logs in, the server generates a JWT and sends it to the client. The client includes the JWT in subsequent requests, allowing the server to verify the user's identity without storing session state.

JWTs are defined by RFC 7519 and are widely adopted across modern web frameworks and APIs. They are used in OAuth 2.0 flows, OpenID Connect, API authentication, and single sign-on (SSO) systems. Major identity providers like Google, Microsoft, and Auth0 issue JWTs for user authentication.

This JWT decoder tool lets you inspect the contents of a JWT without verifying its signature. It runs entirely in your browser, so your token is never sent to any server. This is useful for debugging authentication issues, understanding what claims are included in a token, and verifying that the correct data is being encoded.

JWT Structure

A JWT consists of three parts separated by dots: the header, the payload, and the signature. Each part is Base64URL-encoded, and the three parts are concatenated with dots to form the complete token.

Header

The header typically contains two fields: alg (the signing algorithm, such as HS256 or RS256) and typ (the token type, usually JWT). The header specifies how the token was signed, which is essential for verification.

Payload

The payload contains the claims, which are statements about an entity (typically the user) and additional metadata. Registered claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before time), and iat (issued at time). Custom claims can also be included for application-specific data such as user roles, permissions, or profile information.

Signature

The signature is created by combining the encoded header and payload with a secret key (HMAC) or a private key (RSA/ECDSA). The receiving server uses the corresponding secret or public key to verify that the token has not been tampered with. This tool does not verify signatures because verification requires the signing key, which varies per application.

How to Use This Tool

Paste your JWT token into the input area. The tool will automatically decode the header and payload as you type, displaying them as formatted JSON with syntax highlighting. Time-based claims (iat, exp, nbf) are shown as human-readable dates, and the expiration status is displayed with a visual indicator.

If the token is expired, a warning banner will appear at the top of the decoded output. The expiration card will also show in red to make the status immediately visible. You can copy the decoded header or payload as formatted JSON using the copy buttons.

Frequently Asked Questions

Is my JWT token sent to a server?

No. All decoding happens entirely in your browser using JavaScript. The token is parsed using atob() for Base64 decoding and JSON.parse() for parsing the decoded strings. No data is transmitted to any server.

Why does this tool not verify the signature?

Signature verification requires the secret key or public key that was used to sign the token. These keys are application-specific and should never be shared. This tool is designed for inspecting and debugging JWT contents, not for verifying authenticity. To verify a signature, use a server-side library like jsonwebtoken (Node.js), PyJWT (Python), or a similar library with your application's signing key.

What do the registered claims mean?

iss identifies the issuer of the token. sub identifies the subject (usually the user ID). aud specifies the intended recipients. exp is the time after which the token should not be accepted. nbf is the time before which the token should not be accepted. iat is the time at which the token was issued. jti is a unique identifier for the token, useful for preventing replay attacks.

Can I decode tokens signed with any algorithm?

Yes. The header and payload are simply Base64URL-encoded JSON, so they can be decoded regardless of the signing algorithm. The signing algorithm only affects the signature portion, which this tool displays but does not verify.

What does it mean if a token is expired?

An expired token has passed its exp (expiration) claim time. Most servers will reject expired tokens and require the client to obtain a new one, typically by refreshing an access token or re-authenticating. If you see an expired token in this tool, it means the token can no longer be used for authentication with the issuing server.