JWT Decoder
Decode JSON Web Tokens to inspect the header, payload, and signature.
Paste a JWT token above to decode it.
Decode JSON Web Tokens to inspect the header, payload, and signature.
This free JWT decoder lets you paste any JSON Web Token and instantly see its decoded header, payload, and signature. The three parts of the token are color-coded in the input display: red for the header, purple for the payload, and blue for the signature. If the token contains an expiration claim, the tool shows whether the token is still valid or has expired.
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header that specifies the signing algorithm, a payload that contains the claims (such as user ID, roles, and expiration time), and a signature that verifies the token's integrity. JWTs are widely used for authentication and authorization in web applications and APIs.
This tool decodes JWTs, which means it reads and displays the header and payload by Base64URL-decoding them. It does not verify the signature, because signature verification requires the secret key or public key used to sign the token. Decoding is useful for inspecting token contents during development, but you should always verify signatures on your server before trusting the claims in a JWT.
The JWT header typically contains two fields: alg, which specifies the signing algorithm (such as HS256, RS256, or ES256), and typ, which is usually set to "JWT". Some tokens include additional header parameters like kid (key ID) for selecting the correct verification key from a set.
The payload contains the claims, which are statements about the user or entity. Standard claims include sub (subject), iss (issuer), exp (expiration time), iat (issued at), and aud (audience). Custom claims can be added for application-specific data such as user roles or permissions.
All decoding happens locally in your browser. Your JWT tokens are never sent to any server. However, you should still avoid pasting production tokens with sensitive claims in shared environments.