JWT Decoder

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three Base64url-encoded parts separated by dots: header.payload.signature. JWTs are widely used for authentication and authorization in web APIs.

The three parts

• Header — describes the token type and signing algorithm (e.g. HS256).
• Payload — the claims: data like sub (subject), exp (expiry), and custom fields.
• Signature — verifies the token hasn't been tampered with (requires the secret/key to validate).

Important: decoding is not verifying

The header and payload of a JWT are only Base64-encoded, not encrypted — anyone can read them. This tool decodes them so you can inspect their contents. It does notverify the signature. Never trust the contents of a token for authorization without verifying its signature on your server using the secret or public key.

Common payload claims

• sub — subject (usually the user ID).
• exp — expiration time (Unix timestamp).
• iat — issued-at time.
• iss — issuer.

Is my token safe?

Yes. Decoding happens entirely in your browser — your JWT is never sent to any server.

Frequently asked questions

Does this verify the token's signature?

No. This tool decodes and displays the header and payload only. It does not verify the signature or check expiry — never trust a token based on decoding alone.

Is my token sent to a server?

No. Decoding happens entirely in your browser; your token never leaves your device.

Which tokens are supported?

Standard base64url-encoded JWTs in the form header.payload.signature. Encrypted JWE tokens are not supported.