Decode JWT Token
JWT Decoder is a free tool that instantly decodes a JSON Web Token into its header, payload, and signature. Paste a token below to inspect the claims and check expiration status.
Header
Payload
| Claim | Value | Meaning |
|---|
Signature
Signature verification requires the secret or public key and is not performed by this tool.
How a JWT Is Structured
A JSON Web Token (JWT) is a compact, URL-safe string made of three Base64URL-encoded parts separated by dots:
header.payload.signature
1. Header
Specifies the token type (JWT) and signing algorithm. Common algorithms:
HS256— HMAC with SHA-256 (symmetric; one shared secret)RS256— RSA with SHA-256 (asymmetric; private key signs, public key verifies)ES256— ECDSA with SHA-256 (asymmetric; smaller keys than RSA)
2. Payload
Contains claims — key-value pairs with token data. Claims fall into three categories:
- Registered claims — standard fields like
iss,sub,exp,iat - Public claims — custom fields registered in the IANA JWT Claims Registry or using collision-resistant names
- Private claims — application-specific fields agreed between producer and consumer
3. Signature
Created by signing the encoded header and payload with the algorithm specified in the header. The signature lets the receiver verify the token was not tampered with and was issued by a trusted party.
Standard JWT Claims Reference
| Claim | Name | Purpose |
|---|---|---|
iss | Issuer | Who created and signed the token |
sub | Subject | Who the token is about (usually a user ID) |
aud | Audience | Who the token is intended for (service or API) |
exp | Expiration | Unix timestamp after which the token is invalid |
nbf | Not Before | Unix timestamp before which the token is invalid |
iat | Issued At | Unix timestamp when the token was created |
jti | JWT ID | Unique identifier to prevent token replay |
Decoding vs. Verifying — Why It Matters
Decoding is reversing the Base64URL encoding. No key is needed — anyone with the token can read the header and payload. This is by design; JWTs are signed, not encrypted.
Verifying is checking the cryptographic signature to confirm the token was created by a trusted issuer and has not been altered.
Verification requires the secret (for HS256) or the public key (for RS256, ES256).
Rule: Never trust decoded claims without first verifying the signature in your application code.
Common JWT Mistakes
- Storing secrets in the payload — The payload is readable by anyone. Use JWE if you need encrypted content.
- Skipping signature verification — Decoding alone does not prove authenticity. Always verify.
- Using
alg: none— Disabling the signature defeats the purpose. Reject unsigned tokens in production. - Ignoring
exp— Tokens without expiration never become invalid. Set reasonable lifetimes. - Putting JWTs in URLs — Query parameters get logged by servers, proxies, and browsers. Use the
Authorizationheader instead. - Using weak secrets — For
HS256, use at least 256 bits of entropy. Short passwords are brute-forceable.
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format defined in RFC 7519. It encodes a JSON header and payload as Base64URL strings, joined by dots, with a cryptographic signature appended. JWTs are commonly used for authentication and authorization in web applications.
Can anyone read a JWT?
Yes. The header and payload are Base64URL-encoded, not encrypted. Anyone with the token string can decode and read every claim. This is why you should never store passwords, credit card numbers, or other secrets inside a JWT.
How do I check if a JWT is expired?
Look at the exp claim in the payload. It is a Unix timestamp (seconds since 1970-01-01 UTC).
If the current time is past that value, the token is expired. This decoder checks expiration automatically and
shows whether the token is valid or expired.
What does the alg field mean?
The alg field in the header tells you which algorithm was used to create the signature.
HS256 uses a shared secret (symmetric). RS256 and ES256 use
public/private key pairs (asymmetric). The choice of algorithm affects how verification works.
Is it safe to paste my production JWT here?
This tool runs entirely in your browser. Your token is never sent to any server. However, production tokens grant access to real systems — treat them like passwords. Avoid sharing them or pasting them into tools you do not trust.
What is the difference between JWT and JWE?
A JWT (specifically a JWS — JSON Web Signature) is signed but not encrypted, so anyone can read the payload. A JWE (JSON Web Encryption) encrypts the payload so only the intended recipient can decrypt and read it. Most authentication systems use signed JWTs; JWE is used when payload confidentiality is required.
Can this tool verify JWT signatures?
No. Signature verification requires the signing secret or public key, which this tool does not have.
To verify signatures, use a server-side library (e.g., jsonwebtoken in Node.js, PyJWT in Python)
or a tool that accepts the key as input.
How long should a JWT be valid?
It depends on the use case. Access tokens are typically valid for 5–60 minutes. Refresh tokens may last days or weeks. Shorter lifetimes limit the damage if a token is stolen. Balance security against user convenience for your application.
Does this tool store my data?
No. All decoding runs in your browser using JavaScript. Nothing is sent to a server, and nothing is stored.
Related Tools
- Base64 Encoder/Decoder — encode or decode Base64 strings (JWT parts use Base64URL)
- JSON Formatter — format and validate decoded JSON payloads
- Unix Timestamp Converter — convert
expandiattimestamps to readable dates - Hash Generator — generate SHA-256 and other hashes
- JSON Validator — validate JSON structure
Privacy & Limitations
- All calculations run entirely in your browser -- nothing is sent to any server.
- Results are computed locally and should be verified for critical applications.
Related Tools
View all toolsBig-O Notation Visualizer
Interactive plot of O(1) through O(n!) complexity curves with operation count comparison
JSON Formatter
Format and beautify JSON with proper indentation
JSON Validator
Validate JSON syntax and show errors
CSV to JSON Converter
Convert CSV data to JSON format with auto-detection
JSON to CSV Converter
Convert JSON arrays to CSV format with nested object handling
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-512 hashes
JWT Decoder FAQ
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format defined in RFC 7519. It encodes a JSON header and payload as Base64URL strings, joined by dots, with a cryptographic signature appended. JWTs are commonly used for authentication and authorization in web applications.
What are the three parts of a JWT?
A JWT has three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims such as user ID, expiration, and custom data), and the signature (cryptographic proof that the token has not been tampered with).
Can anyone decode a JWT?
Yes. The header and payload are Base64URL-encoded, not encrypted. Anyone with the token can decode and read the claims. This is why you should never put secrets or passwords inside a JWT payload. Verification (checking the signature) is a separate step that requires the signing key.
What is the difference between decoding and verifying a JWT?
Decoding means reading the header and payload by reversing the Base64URL encoding — no key is needed. Verifying means checking the signature to confirm the token was issued by a trusted party and has not been altered. Always verify before trusting claims in production.
What are standard JWT claims?
Standard (registered) claims include: iss (issuer), sub (subject / user ID), aud (audience), exp (expiration time as Unix timestamp), nbf (not before), iat (issued at), and jti (unique token ID). All are optional but widely used.
How do I check if a JWT is expired?
Look at the exp claim in the payload. It is a Unix timestamp (seconds since 1970-01-01). If the current time is past that timestamp, the token is expired. This decoder checks expiration automatically and shows the status.
What does the alg field in the header mean?
The alg field specifies the signing algorithm. Common values include HS256 (HMAC with SHA-256, symmetric), RS256 (RSA with SHA-256, asymmetric), and ES256 (ECDSA with SHA-256, asymmetric). The algorithm determines how the signature is created and verified.
Is it safe to paste my JWT into this tool?
Yes. This decoder runs entirely in your browser using JavaScript. Your token is never sent to any server. However, if a token grants access to a production system, treat it like a password — avoid sharing it or pasting it into tools you do not trust.
Why should I not put sensitive data in a JWT payload?
Because the payload is only Base64URL-encoded, not encrypted. Anyone who intercepts or receives the token can decode and read every claim. Store only non-secret identifiers and metadata. If you need encrypted tokens, consider JWE (JSON Web Encryption).
What is the difference between JWT and JWE?
A JWT (specifically a JWS — JSON Web Signature) is signed but not encrypted, so anyone can read the payload. A JWE (JSON Web Encryption) encrypts the payload so only the intended recipient can read it. Most systems use signed JWTs for authentication and reserve JWE for cases where payload confidentiality is required.