A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature. JWTs are commonly used for authentication and authorization in web APIs.

Is it safe to paste my JWT into an online decoder?

This decoder runs entirely in your browser — no data is sent to any server. However, you should never paste production JWTs containing sensitive data into any online tool you don't control. Use this for development and debugging only, or use tokens from non-production environments.

What is the difference between JWT header, payload, and signature?

The header contains the token type and signing algorithm (e.g., HS256). The payload contains the claims — data encoded in the token such as user ID, roles, and expiry time. The signature is a cryptographic hash used to verify the token hasn't been tampered with. The signature cannot be verified without the secret key.

JWT Decoder

Paste a JSON Web Token to decode the header and payload. Data stays entirely in your browser — nothing is sent to a server.

For development use only. Do not paste production tokens with sensitive data into any online tool.

Paste your JWT

Quick Answer

Paste your JWT into the input field. The decoder splits the token at the two dots, base64url-decodes the header and payload sections, and displays them as readable JSON. It checks the exp claim against the current time to show whether the token is valid or expired.

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe token used to transmit information between two parties. It has three parts separated by dots: a Base64URL-encoded header, a Base64URL-encoded payload, and a signature. JWTs are commonly used for authentication — after a user logs in, the server issues a JWT that the client sends with each subsequent request.

Header, payload, and signature

The header typically contains the token type (JWT) and the signing algorithm (HS256, RS256, etc.). The payload contains claims — statements about the subject, like user ID, roles, and expiry time (exp). The signature verifies the token hasn't been tampered with. It requires the secret or public key to verify — which this tool does not do.

Common JWT claims

sub (subject): who the token refers to. iss (issuer): who issued the token. exp (expiry): Unix timestamp after which the token is invalid. iat (issued at): when the token was issued. aud (audience): who the token is intended for.

Security note

The header and payload are Base64URL-encoded, not encrypted. Anyone with the token can read the claims. Never put sensitive data like passwords in a JWT payload. Use this tool only with development tokens or tokens that don't contain private information.

Frequently asked questions

What is a JWT?

A JSON Web Token (JWT) is a compact token with three Base64URL-encoded parts: header (algorithm), payload (claims), and signature. Used widely for API authentication and authorization.

Is it safe to paste my JWT here?

This decoder runs entirely in your browser. No data is sent anywhere. But avoid pasting production tokens with sensitive data into any online tool — use test or development tokens instead.

What's the difference between header, payload, and signature?

The header has the token type and signing algorithm. The payload has the claims (data). The signature verifies the token's integrity — you need the secret or public key to verify it.

Can this tool verify a JWT signature?

No. Signature verification requires the secret or public key. This tool only decodes (Base64URL decodes) the header and payload. Never trust JWT claims without server-side signature verification.