JWT Decoder
Paste a JWT and see the decoded header, payload, and claims.
Tips
- Paste any JWT — the three parts are separated by dots: header.payload.signature.
- The header and payload are base64url-encoded JSON and decoded entirely in your browser.
- The signature cannot be verified without the secret key — this tool only decodes, it does not validate.
- Common payload claims: sub (subject), iss (issuer), exp (expiry as Unix timestamp), iat (issued at).
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe format for transmitting claims between two parties. It is widely used for authentication and authorization — when you log in to a service, you often receive a JWT that proves your identity for subsequent requests.
JWTs are not encrypted by default; they are only base64url-encoded and optionally signed. This means the contents of the header and payload are readable by anyone who has the token. Never put sensitive information in a JWT payload unless the token is also encrypted (JWE).
Structure of a JWT
- Header — contains the token type (typ) and the signing algorithm (alg), such as HS256 or RS256.
- Payload — contains the claims — statements about the user or session. Standard claims include sub, iss, aud, exp, nbf, and iat.
- Signature — a cryptographic signature created by signing the encoded header and payload with a secret or private key. It verifies the token has not been tampered with.