Is it safe to paste my JWT here?

Yes. JWTs are decoded entirely in your browser using JavaScript — nothing is sent to any server. However, never share JWTs containing sensitive data in public.

Can this tool verify JWT signatures?

This tool decodes the header and payload but does not verify the signature (that requires the secret/public key). Always verify signatures server-side.

A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication. It has three parts separated by dots: header.payload.signature, all Base64URL encoded.

JWT Decoder

Paste any JWT and instantly see the decoded header, payload, and expiration. All decoding happens in your browser.

Files never leave your browser

JWTs are NOT encrypted — only Base64URL encoded. The payload is readable by anyone. Never share tokens containing sensitive data.

Paste JWT Token

Decoding happens entirely in your browser — your token never leaves your device

How to use JWT Decoder

The JWT Decoder parses JSON Web Tokens and displays their header, payload claims and signature in a readable format. JWTs are Base64URL-encoded tokens used to securely transmit identity and authorisation claims between parties. This tool lets developers inspect token contents, check expiry times, verify algorithm choices and debug authentication flows without writing a single line of code.

Paste the full JWT string (three dot-separated segments) into the input field.
The tool automatically splits and Base64URL-decodes the header and payload sections.
Inspect the header for the algorithm (alg) and key ID (kid) fields.
Check the payload for standard claims: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued at).
Note any custom claims added by your identity provider.
For signature verification, enter the signing secret (HMAC) or public key (RSA/EC) in the verification panel.

Your data never leaves your device — 100% private processing.

JWT structure and encoding

A JWT consists of three Base64URL-encoded segments separated by dots: the header, the payload and the signature. The header is a JSON object specifying the token type ("JWT") and signing algorithm ("HS256", "RS256", "ES256", etc.). The payload contains claims — JSON key-value pairs carrying identity or authorisation data. The signature is computed over header.payload using the chosen algorithm and a secret or private key, ensuring the token has not been tampered with since it was issued.

Common JWT claims and security considerations

RFC 7519 defines registered claims: iss (issuer), sub (subject), aud (intended audience), exp (expiration Unix timestamp), nbf (not before), iat (issued at) and jti (JWT ID for replay prevention). Always validate exp before trusting a token. Never store sensitive data in the payload — it is encoded, not encrypted, and is trivially readable by anyone who holds the token. For confidential data, use JSON Web Encryption (JWE). The "none" algorithm (no signature) is a known attack vector — reject it explicitly in your validation code.

JWT registered claims (RFC 7519)
Claim	Full name	Type	Purpose
iss	Issuer	String/URI	Identifies who issued the token
sub	Subject	String/URI	Identifies the principal (user ID)
aud	Audience	String or array	Identifies intended recipients
exp	Expiration	NumericDate	Token must be rejected after this time
nbf	Not Before	NumericDate	Token must be rejected before this time
iat	Issued At	NumericDate	Time the token was issued
jti	JWT ID	String	Unique ID for replay prevention

Glossary

JWT: JSON Web Token — a compact, URL-safe token format defined by RFC 7519 for securely transmitting claims.
Claim: A key-value pair in a JWT payload asserting a fact about the subject or the token itself.
Base64URL: A variant of Base64 using - and _ instead of + and /, safe for use in URLs without percent-encoding.
HMAC-SHA256: A symmetric signature algorithm that uses a shared secret to sign and verify JWTs (HS256).
RS256: RSA Signature with SHA-256 — an asymmetric JWT algorithm using a private key to sign and a public key to verify.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use JWT Decoder?

No installation — use directly from any browser
Handles large inputs without crashing or timeouts
Syntax highlighting and formatted output for readability
Copy to clipboard shortcut for fast workflow integration

Common use cases

Validate and format JSON responses from APIs
Encode/decode Base64 strings during debugging
Generate UUIDs for database seeds or test data
Minify CSS or JavaScript before deployment
Diff two code snippets to spot regressions

Related Developer Tools

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes online. Hash text or files privately in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

URL Encoder / Decoder

Encode and decode URLs and URL components online. Convert special characters to percent-encoding and back instantly — free, private, and fast.

HTML Encoder / Decoder

Encode and decode HTML entities online. Escape <, >, &, and quote characters for safe HTML display. Free, instant, and private — runs in your browser.

Explore all Developer Tools.