JWT Decoder

What is a JSON Web Token?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three base64url-encoded parts separated by dots: a header, a payload, and a signature. The header describes the signing algorithm, the payload carries the claims (such as user identity or permissions), and the signature lets the recipient verify the token has not been tampered with.

Common use cases

JWTs are the backbone of stateless authentication in modern web applications. After a user logs in, the server issues a JWT that the client includes in subsequent requests, typically as a Bearer token in the Authorization header. OAuth 2.0 and OpenID Connect both rely on JWTs for access tokens and identity tokens. They are also used for single sign-on across multiple services, API gateway authorisation, and short-lived invitations or password reset links.

Decoding versus verifying

This tool decodes JWTs - it reads the header and payload by base64url-decoding them and parsing the resulting JSON. Decoding does not verify the signature. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA or ECDSA). Never trust claims from a JWT without verifying the signature on your server.

Expiration and claims

The exp claim is a Unix timestamp indicating when the token expires. If present, this tool compares it against the current time and shows whether the token is still valid or has expired. Other standard claims include iat (issued at), nbf (not before), iss (issuer), sub (subject), and aud (audience). Custom claims can carry any application-specific data.

Privacy

This tool runs entirely in your browser. No tokens are sent to any server. Your input stays on your machine.