JWT Decoder
Paste a JSON Web Token to decode its header, payload, and signature. See expiration status and known claims at a glance.
JWT Decoder
Paste a JSON Web Token to decode its header, payload, and signature.
How it works
A JSON Web Token consists of three Base64URL-encoded parts separated by dots: header.payload.signature. This decoder splits the token, Base64URL-decodes the header and payload, and parses them as JSON.
The header typically contains the signing algorithm (HS256, RS256, etc.) and the token type. The payload contains claims — key-value pairs with data like user ID, roles, and expiration time.
Time-based claims (exp, iat, nbf) are displayed as human-readable dates. Expiration status is shown as a colored badge.
FAQ
- What is a JWT?
- A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It is commonly used for authentication and authorization in web applications and APIs.
- What is the structure of a JWT?
- A JWT has three parts separated by dots: Header (algorithm and token type), Payload (claims — the actual data), and Signature (cryptographic verification). Each part is Base64URL-encoded. The signature prevents tampering.
- Is it safe to decode JWTs in the browser?
- Yes. The header and payload of a JWT are not encrypted — they are only Base64URL-encoded. Anyone with the token can read them. The signature is what prevents modification, not reading. This tool only decodes; it does not verify signatures.
- What is the difference between JWT and session tokens?
- Session tokens are opaque strings stored on the server — the server looks up session data. JWTs are self-contained: the token itself carries the data. JWTs are stateless (no server-side storage needed) but cannot be revoked without extra infrastructure.
- Can JWTs be tampered with?
- The payload can be read and modified by anyone, but the signature will become invalid. The receiving server should always verify the signature using the secret key or public key. Never trust a JWT without verifying its signature server-side.
- What are common JWT claims?
- Standard claims include: exp (expiration time), iat (issued at), nbf (not before), iss (issuer), sub (subject), aud (audience), and jti (unique token ID). Custom claims can contain any application-specific data.
Other tools you might like
- Wealth ProjectionBuild wealth or draw it down. Watch compounding tip the scale — and see how long your corpus really lasts.
- Loan & EMI PlannerSee what your loan really costs — month by month, year by year — and how prepayments rewrite the math.
- Mortgage CalculatorMonthly payment, taxes, insurance, PMI — the full picture of what your home really costs.
- Compound Interest CalculatorWatch your money grow year by year. See exactly how compounding works in your favor.
- SIP CalculatorSee how small monthly investments grow into a large corpus through the power of compounding.
- Salary CalculatorYour real take-home pay — federal, state, and FICA, all 50 states.