JWT Decoder
Decode and inspect JSON Web Tokens without any server calls
Your tokens never leave your browser — safe for production JWTs
JWT Token
Paste your JWT (header.payload.signature)
What Is a JWT?
A JSON Web Token (JWT, pronounced “jot”) is a compact, URL-safe token format defined in RFC 7519. It's used to securely transmit claims between parties — most commonly for authentication and authorization in web applications. A JWT consists of three Base64url-encoded parts separated by dots: header.payload.signature.
The header specifies the algorithm (HS256, RS256, ES256) and token type. The payload contains claims — statements about the user (sub, name, email) and metadata (iat, exp, iss, aud). The signature is a cryptographic hash that verifies the token hasn't been tampered with.
Standard JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token (e.g., auth server URL) |
| sub | Subject | Who the token is about (usually user ID) |
| aud | Audience | Intended recipient(s) of the token |
| exp | Expiration | Unix timestamp when the token expires |
| iat | Issued At | Unix timestamp when the token was created |
| nbf | Not Before | Token is not valid before this time |
| jti | JWT ID | Unique identifier for the token |
Important: Decoding ≠ Verification
This tool decodes JWTs — it reads the header and payload by Base64url-decoding them. It does not verify the signature, because verification requires the server's secret key (for HMAC) or public key (for RSA/ECDSA). Never trust a JWT's claims in a production system without verifying its signature server-side.
When to Use This Tool
Debugging Auth Flows
Inspect tokens from OAuth2/OIDC providers (Auth0, Okta, Firebase, Cognito) to verify claims, scopes, roles, and expiration times.
API Development
Check that your auth middleware is generating tokens with the correct claims before and after making changes.
Token Expiration Issues
Quickly check if a user's token is expired when debugging “401 Unauthorized” errors.
Security Audits
Review what information is stored in JWTs — sensitive data like emails, permissions, or PII should be minimal.
Related Tools
Built by JDApplications