JWT Decoder
Decode and inspect JWT tokens — view header, payload and signature without sending data to a server.
About the JWT Decoder
A JSON Web Token (JWT) is a compact, URL-safe way of representing claims between two parties. JWTs are widely used for authentication and authorisation in web applications and APIs — typically issued by a server after login and sent by clients in the Authorization: Bearer <token> HTTP header.
JWT structure
A JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature
- Header — Describes the token type (
JWT) and signing algorithm (e.g.HS256,RS256). Example:{"alg": "HS256", "typ": "JWT"} - Payload — Contains the claims: statements about an entity (typically the user) and additional metadata. Standard claims include
sub(subject),iss(issuer),exp(expiry time),iat(issued at), andaud(audience). - Signature — Created by signing the encoded header and payload with a secret key or private key. Used to verify the token hasn't been tampered with.
Decoding vs verifying
This tool decodes JWTs — it reads and displays the header and payload contents. It does not verify the signature. Anyone can decode a JWT (the payload is only Base64-encoded, not encrypted). Signature verification, which proves the token is authentic and untampered, requires the server's secret key or public key.
Security considerations
- JWT payloads are not encrypted by default (unless using JWE). Never store sensitive data like passwords or card numbers in a JWT payload.
- Always check the
exp(expiry) claim server-side — an expired token should always be rejected. - Beware the
alg: nonevulnerability — always specify and enforce the expected algorithm on the server.