JWT Decoder
Decode and inspect JSON Web Tokens safely in your browser.
JWT Decoder
Decode and inspect JSON Web Tokens
JWT Token Input
Decoded Token
No JWT Decoded Yet
Paste a JWT token and click decode to see its contents
JWT Structure & Claims Reference
Paste any JWT — from a browser cookie, an Authorization header, or an OAuth response. The token is decoded entirely in your browser; no data is sent to any server.
The decoder shows the header (algorithm, token type), payload (all claims including expiration, subject, roles), and flags whether the token is currently expired based on the exp claim.
Use the decoded claims to debug authentication failures — check if the token has expired, if the audience (aud) matches your service, or if expected custom claims are present.
Standard JWT Claims Reference
| Claim | Full name | Description | Required? |
|---|---|---|---|
| iss | Issuer | Identifies who issued the token (e.g., auth.example.com) | No |
| sub | Subject | The user or entity the token represents (e.g., user ID) | No |
| aud | Audience | Intended recipients of the token | No |
| exp | Expiration Time | Unix timestamp after which the token is invalid | No |
| nbf | Not Before | Unix timestamp before which the token is not valid | No |
| iat | Issued At | Unix timestamp when the token was created | No |
| jti | JWT ID | Unique identifier to prevent token replay attacks | No |
JWT Security: What You Can and Cannot Verify
A JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header and payload are simply encoded — not encrypted. Anyone who has the token can decode and read the claims without a key. This means never put sensitive data like passwords or credit card numbers in a JWT payload.
The signature is what provides security. It is a cryptographic hash of the header and payload, signed with a secret (HMAC) or private key (RS256/ES256). Servers verify the signature before trusting any claims. This tool decodes the payload for inspection — it does not verify the signature, which requires the secret or public key. For security auditing, always verify the signature server-side; never trust a decoded JWT without signature verification.
Frequently Asked Questions
Common questions about JWT Decoder