JWT Decoder: Decode JSON Web Tokens Online

Decode and inspect JWT (JSON Web Token) tokens instantly with our free online decoder. JWTs are commonly used for authentication in web applications—they're those long strings of random-looking characters you might see in login systems. Our JWT decoder tool helps you understand what information is stored inside these tokens by breaking them down into readable parts.

Simply paste any JWT token to see its header (encryption method), payload (your actual data like user ID and permissions), and check if it's expired. Perfect for developers debugging authentication issues or anyone curious about what data their applications are passing around. No verification needed—just instant, clear visibility into your tokens, all processed locally in your browser.

What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It's commonly used for authentication and information exchange in web applications. JWTs are digitally signed, which makes them trustworthy and verifiable.

JWT Structure:

A JWT consists of three parts separated by dots (.):

xxxxx.yyyyy.zzzzz
  • Header (xxxxx): Contains token type (JWT) and signing algorithm (e.g., HMAC, RSA)
  • Payload (yyyyy): Contains the claims (statements about the user and additional data)
  • Signature (zzzzz): Used to verify the token hasn't been tampered with

Common Use Cases:

  • User authentication and session management
  • API authorization (Bearer tokens)
  • Single Sign-On (SSO) systems
  • Secure information exchange between parties
  • OAuth 2.0 and OpenID Connect flows

Standard Claims:

  • iss (Issuer): Who created and signed the token
  • sub (Subject): Who the token is about (usually user ID)
  • aud (Audience): Who the token is intended for
  • exp (Expiration Time): When the token expires (Unix timestamp)
  • nbf (Not Before): When the token becomes valid (Unix timestamp)
  • iat (Issued At): When the token was created (Unix timestamp)
  • jti (JWT ID): Unique identifier for the token

Common Algorithms:

Symmetric (HMAC):

  • HS256: HMAC with SHA-256 (most common)
  • HS384: HMAC with SHA-384
  • HS512: HMAC with SHA-512

Asymmetric (RSA/ECDSA):

  • RS256: RSA with SHA-256 (widely used)
  • ES256: ECDSA with SHA-256
  • PS256: RSA-PSS with SHA-256

Example JWT:

Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Features:

  • Instant JWT decoding without verification
  • View header, payload, and metadata
  • Expiration status and time remaining
  • Standard claims extraction (iss, sub, aud, exp, etc.)
  • Copy buttons for each section
  • 100% client-side - your tokens never leave your browser

Important Security Notes:

  • Not encryption: JWTs are encoded, not encrypted. Anyone can decode them.
  • Don't store sensitive data: Never put passwords or secrets in JWT payload.
  • Verify signatures: Always verify JWT signatures on the server before trusting claims.
  • Use HTTPS: Always transmit JWTs over secure connections.
  • Short expiration: Use short expiration times (minutes to hours, not days).
  • Store securely: Store JWTs in httpOnly cookies or secure storage, not localStorage.

Frequently Asked Questions

What is a JWT token? +

A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64-encoded parts separated by dots: a header (algorithm type), a payload (claims/data), and a signature. JWTs are commonly used for authentication in web applications and APIs.

Is it safe to decode JWT tokens online? +

Yes, with a client-side decoder like ours. JWT decoding only reveals the header and payload, which are Base64-encoded (not encrypted). Our tool runs entirely in your browser—no tokens are sent to any server. However, never share your JWT tokens publicly as they may contain sensitive information like user IDs or permissions.

What do the different JWT claims mean? +

Common claims include: 'sub' (subject/user ID), 'exp' (expiration time), 'iat' (issued at time), 'iss' (issuer), 'aud' (audience), and 'nbf' (not before). Custom claims can contain any application-specific data like user roles or permissions. Times are Unix timestamps (seconds since 1970).

How do I know if my JWT has expired? +

Check the 'exp' claim in the payload—it's a Unix timestamp showing when the token expires. Our decoder automatically compares this to the current time and shows you whether the token is still valid or has expired. A token without an 'exp' claim never expires (though this is generally bad practice).

Why can't you verify the JWT signature? +

JWT signature verification requires the secret key or public key used to sign the token, which only the token issuer has. Our decoder shows you the token contents, but verifying authenticity must be done server-side where the secret is stored. Never expose your JWT signing secrets in client-side code.