JWT Decoder
Decode and inspect JSON Web Tokens instantly. 100% client-side processing - your tokens never leave your browser.
Invalid JWT
Header
Payload
Signature
Signature verification requires the secret key. This tool only decodes tokens.
Paste a JWT token above to decode it
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | Who the token is about (usually user ID) |
| aud | Audience | Who the token is intended for |
| exp | Expiration | When the token expires (Unix timestamp) |
| iat | Issued At | When the token was issued (Unix timestamp) |
| nbf | Not Before | Token not valid before this time |
| jti | JWT ID | Unique identifier for the token |
100%
Client-Side
All decoding happens in your browser. Your tokens never touch our servers.
Free
No Signup
Use unlimited times without creating an account. No ads, no tracking.
Fast
Instant Decode
Decode JWTs as you type with real-time parsing and timestamp conversion.
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in web applications. They consist of three parts: a header (algorithm and token type), a payload (claims/data), and a signature (for verification). JWTs are self-contained, meaning all the information needed to verify the token is within the token itself.
Can this tool verify JWT signatures?
No, this tool only decodes and displays the contents of a JWT. Signature verification requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA algorithms) used to sign the token. These keys should never be shared publicly or entered into online tools. This decoder is designed for inspecting token contents during development and debugging - always verify signatures on your server using proper cryptographic libraries.
What are the three parts of a JWT?
A JWT consists of three parts separated by dots (xxxxx.yyyyy.zzzzz): 1) Header - contains metadata about the token, including the token type (JWT) and the signing algorithm (e.g., HS256, RS256). 2) Payload - contains claims, which are statements about the user and additional metadata like expiration time. 3) Signature - created by encoding the header and payload, then signing with a secret key to ensure the token hasn't been tampered with.
What do common claims like exp, iat, sub mean?
JWT claims are key-value pairs in the payload. Common registered claims include: exp (Expiration Time) - Unix timestamp when the token expires; iat (Issued At) - Unix timestamp when the token was created; sub (Subject) - identifier for who the token is about, usually a user ID; iss (Issuer) - who created and signed the token; aud (Audience) - intended recipient of the token; nbf (Not Before) - token not valid before this time; jti (JWT ID) - unique identifier for the token.
Is this tool free and secure?
Yes, this JWT decoder is completely free with no signup required. All decoding happens entirely in your browser using JavaScript - your tokens are never sent to any server. This makes it safe to decode tokens containing sensitive information during development. However, you should still avoid sharing production tokens publicly, as they may contain sensitive user information and could be replayed if not expired.