JWT Decoder & Inspector
Paste a JSON Web Token to inspect its header, payload, and signature. Shows the algorithm, issued-at time, expiration, and whether the token is already expired.
What is a JWT?
A JSON Web Token (JWT, defined in RFC 7519) is a compact, URL-safe string that carries a set of claims as JSON. It consists of three segments separated by dots: a header describing the token, a payload of claims, and a signature that authenticates the first two segments. Each segment is independently base64url-encoded.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ← header
.eyJzdWIiOiIxMjMiLCJleHAiOjE5MDB9 ← payload
.zg-3I8VWp1WqRwbqgnYzG0Mu5BMC... ← signatureHow decoding works
This tool splits the token at the dots, base64url-decodes the first two parts, and parses each as JSON. The signature is shown in its raw base64url form because verifying it requires the secret or public key — something a static, client-side tool can't (and shouldn't) hold.
Decoding ≠ verifying. A JWT's signature only proves authenticity if you verify it with the issuer's key. Anyone can read a JWT — never store secrets inside a JWT payload, and never trust an unverified token in a production system. See JWT Structure for a deeper walkthrough.
Common JWT claims
| Claim | Name | Meaning |
|---|---|---|
iss | Issuer | Who issued the token (URL or identifier). |
sub | Subject | The principal the token is about (usually a user ID). |
aud | Audience | The intended recipient(s) of the token. |
exp | Expiration | Unix time after which the token must be rejected. |
nbf | Not Before | Unix time before which the token must be rejected. |
iat | Issued At | Unix time the token was issued. |
jti | JWT ID | Unique identifier to prevent replay. |
FAQ
Is decoding a JWT safe?
Yes — JWTs are designed to be readable. The payload is encoded, not encrypted. Decoding it locally in your browser exposes nothing that wasn't already in the token. Of course, if the token is a real production credential, treat it like a password and don't paste it into untrusted tools.
Why doesn't this tool verify the signature?
Verification requires the signing key (HS256 secret, RS256/ES256 public key). A static, no-server tool cannot hold or fetch keys safely. Use your backend library (e.g. jsonwebtoken, jose) for verification.
What does the alg field mean?
It identifies the signing algorithm — typically HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), or ES256 (ECDSA with P-256 and SHA-256). The alg: none value is permitted by the spec but is dangerous and should be rejected.
Are JWTs encrypted?
Plain JWTs (JWS) are signed, not encrypted. JWE (JSON Web Encryption) is a separate spec that produces encrypted tokens with five dot-separated segments instead of three.