Search Tools

Ctrl + K to search · Esc to close

JWT Decoder

Decode JSON Web Tokens (JWT) to inspect the header and payload. View expiry status and formatted JSON with syntax highlighting.

⚠ī¸ Note: This tool only decodes JWT tokens. It does not verify signatures. Never trust decoded JWT data without proper signature verification on your server.

About JWT Decoder

Our JWT Decoder is a free online tool that lets you inspect the contents of JSON Web Tokens (JWTs). JWTs are a compact, URL-safe way to represent claims between two parties and are widely used for authentication and authorization in web applications.

A JWT consists of three parts separated by dots: a header (which specifies the token type and signing algorithm), a payload (which contains the claims or data), and a signature (which is used to verify the token's integrity). This tool decodes the header and payload, which are Base64Url-encoded JSON, and displays them in a readable format with syntax highlighting.

Important: This tool only decodes tokens — it does not verify the signature. Anyone can create a JWT with any payload. The security of JWTs relies on signature verification, which must be done server-side using the secret key or public key. Never trust claims from an unverified JWT.

Frequently Asked Questions

Q What is a JWT (JSON Web Token)?

A JSON Web Token is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It's commonly used for authentication — after a user logs in, the server issues a JWT that the client includes in subsequent requests to prove their identity. JWTs are self-contained, meaning they carry all necessary information within the token itself.

Q What is the difference between decoding and verifying a JWT?

Decoding simply reads the Base64Url-encoded content of the header and payload — this can be done by anyone with access to the token. Verifying checks the signature to confirm the token hasn't been tampered with and was issued by a trusted party. Our tool only decodes tokens. For security, always verify JWTs server-side using the appropriate secret or public key before trusting the claims.

Q What are common JWT claims?

Standard JWT claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). The exp claim is particularly important as it determines when the token expires. Custom claims can also be included for application-specific data like user roles, permissions, or email addresses.