JWT Decoder
Decode and inspect JSON Web Tokens (JWT) to view their header algorithm, payload claims, and expiration times. Essential for debugging OAuth 2.0, OpenID Connect, and API authentication flows. This tool only decodes — no signature verification is performed. All processing happens in your browser for complete security.
JWT Decoder
Paste a JSON Web Token to decode its header and payload. No signature verification is performed.
How It Works
A JSON Web Token consists of three parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains claims — key-value pairs with information like user ID (sub), expiration time (exp), issuer (iss), and custom data.
Both header and payload are Base64URL-encoded JSON objects. This decoder extracts and parses these parts, converting Base64URL back to readable JSON. The signature (third part) is used for verification but is not validated by this tool.
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | Who the token refers to (usually user ID) |
| aud | Audience | Intended recipient of the token |
| exp | Expiration | Unix timestamp when the token expires |
| iat | Issued At | Unix timestamp when the token was issued |
| nbf | Not Before | Token is not valid before this time |
Common Use Cases
- Debugging authentication: Inspect token contents to troubleshoot login issues, expired sessions, or missing permissions.
- API development: Verify that your authentication server includes the correct claims in issued tokens.
- Security auditing: Check what data is exposed in JWTs (remember, payload is not encrypted, only signed).
- Learning OAuth 2.0: Understand the structure and content of tokens used in OAuth and OpenID Connect flows.
Frequently Asked Questions
What is a JWT?
A compact, URL-safe token format defined in RFC 7519 used for securely transmitting claims between parties, commonly used for authentication and authorization in web applications.
Is it safe to decode JWTs in the browser?
Yes. JWT payloads are not encrypted — they're just Base64-encoded. Anyone with the token can read the payload. The signature prevents tampering but doesn't hide the contents.
Does this tool verify the signature?
No. This tool only decodes the header and payload for inspection. Signature verification requires the secret key or public key, which should never be shared in a browser tool.
What is Base64URL encoding?
A variant of Base64 that uses - instead of + and _ instead of /, and omits padding (=). This makes the encoded string safe for use in URLs and HTTP headers.