JWT Token

Decoded

Paste a JWT token to decode it

About JWT Decoder

Decode JSON Web Tokens to inspect their header, payload, and signature. Detect expiration status, identify signing algorithms, and explain registered claims, all processed entirely in your browser.

Real-time decoding on paste
Color-coded token parts
Expiration status check
Registered claim descriptions

Complete Guide to JSON Web Tokens (JWT)

Free Online JWT Decoder & Inspector

Decode and inspect JSON Web Tokens instantly with this free online JWT decoder. View the JOSE header, payload claims, expiration status, and signing algorithm. It is useful for authentication, authorization, API tokens, OAuth 2.0, and OpenID Connect flows.

Key Features

Header Inspection

  • View signing algorithm such as HS256 or RS256
  • Identify token type
  • Display key ID (kid)
  • Explain common JOSE header fields

Payload Decoding

  • Display all claims with descriptions
  • Convert timestamps to readable dates
  • Identify registered claims such as iss, sub, aud, and exp
  • Show custom claims

Expiration Check

  • Automatic expiration detection
  • Expired or not expired badges
  • Readable expiry time
  • iat and nbf timestamp decoding

Color-Coded Display

  • Header highlighted in pink
  • Payload highlighted in purple
  • Signature highlighted in cyan
  • Clear visual separation of JWT parts

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims transferred between two parties. It is defined in RFC 7519 and widely used for authentication and authorization across web apps, APIs, and microservices.

JWT Structure:

Header: Metadata about the token, including signing algorithm and token type.

Payload: Claims about the user or entity plus token metadata.

Signature: A value created by signing the encoded header and payload with a secret or private key.

Registered JWT Claims

iss: Issuer, or who issued the JWT.

sub: Subject, usually the user or entity the token is about.

aud: Audience, or the intended recipient of the token.

exp: Expiration timestamp after which the token must not be accepted.

nbf: Not-before timestamp before which the token must not be accepted.

iat: Issued-at timestamp.

jti: Unique token ID, useful for replay protection.

Common Signing Algorithms

HS256: HMAC with SHA-256. Uses one shared secret for signing and verification.

RS256: RSA with SHA-256. Uses a private key to sign and a public key to verify.

ES256: ECDSA with P-256 and SHA-256. Uses elliptic curves with shorter signatures.

PS256: RSA-PSS with SHA-256. A stronger RSA signing variant with probabilistic padding.

How to Use the JWT Decoder

  1. Paste your JWT: Copy and paste a JWT token into the input field. Decoding starts automatically.
  2. View the header: Open the Header tab to see algorithm, token type, and key ID.
  3. Inspect the payload: Open the Payload tab to see all claims with readable descriptions.
  4. Check expiration: The tool checks whether the token is expired or still valid.
  5. View the signature: Open the Signature tab to inspect the raw signature and algorithm info.
  6. Copy sections: Use copy buttons to copy decoded sections as formatted JSON.

Common JWT Use Cases

Authentication: A server issues a JWT after login, and the client sends it with later requests to prove identity.

Authorization: JWTs can contain roles or permissions so APIs can make access decisions.

Single Sign-On: JWTs help share authentication state across services through a central identity provider.

API Security: Stateless JWT authentication is common for REST, GraphQL, microservices, and serverless systems.

OAuth 2.0 / OpenID Connect: JWTs are used as access tokens, ID tokens, and sometimes refresh tokens.

Perfect For

  • Backend developers
  • Frontend developers
  • API developers
  • Security engineers
  • DevOps engineers
  • QA and testing teams
  • Mobile app developers
  • Microservices architects
  • Identity and access management
  • Students learning authentication
  • Technical support teams
  • Security auditors

JWT Security Best Practices

  • Always verify the signature on the server side.
  • Use short-lived tokens and refresh tokens where appropriate.
  • Prefer strong algorithms such as RS256 or ES256 for production systems.
  • Validate iss, aud, exp, and nbf claims on the server.
  • Do not store sensitive data in JWT payloads because they are encoded, not encrypted.
  • Transmit tokens only over HTTPS.
  • Store tokens securely, for example in httpOnly cookies for web apps.
  • Plan token revocation using short expiry, refresh rotation, or deny lists.

Complete Privacy Protection

All JWT decoding happens entirely in your web browser using JavaScript. Your tokens are never uploaded, stored, logged, or sent to any third party.

Learn JWT Fundamentals

New to JSON Web Tokens? Read our beginner-friendly guide covering token structure, claims, signing, and security best practices.

Read: What is JWT?

Related Developer Tools