JWT Token
Decoded
Paste a JWT token to decode it
About JWT Decoder
Decode JSON Web Tokens to inspect their header, payload, and signature. Detect expiration status, identify signing algorithms, and explain registered claims, all processed entirely in your browser.
Complete Guide to JSON Web Tokens (JWT)
Free Online JWT Decoder & Inspector
Decode and inspect JSON Web Tokens instantly with this free online JWT decoder. View the JOSE header, payload claims, expiration status, and signing algorithm. It is useful for authentication, authorization, API tokens, OAuth 2.0, and OpenID Connect flows.
Key Features
Header Inspection
- View signing algorithm such as HS256 or RS256
- Identify token type
- Display key ID (kid)
- Explain common JOSE header fields
Payload Decoding
- Display all claims with descriptions
- Convert timestamps to readable dates
- Identify registered claims such as iss, sub, aud, and exp
- Show custom claims
Expiration Check
- Automatic expiration detection
- Expired or not expired badges
- Readable expiry time
- iat and nbf timestamp decoding
Color-Coded Display
- Header highlighted in pink
- Payload highlighted in purple
- Signature highlighted in cyan
- Clear visual separation of JWT parts
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims transferred between two parties. It is defined in RFC 7519 and widely used for authentication and authorization across web apps, APIs, and microservices.
JWT Structure:
Header: Metadata about the token, including signing algorithm and token type.
Payload: Claims about the user or entity plus token metadata.
Signature: A value created by signing the encoded header and payload with a secret or private key.
Registered JWT Claims
iss: Issuer, or who issued the JWT.
sub: Subject, usually the user or entity the token is about.
aud: Audience, or the intended recipient of the token.
exp: Expiration timestamp after which the token must not be accepted.
nbf: Not-before timestamp before which the token must not be accepted.
iat: Issued-at timestamp.
jti: Unique token ID, useful for replay protection.
Common Signing Algorithms
HS256: HMAC with SHA-256. Uses one shared secret for signing and verification.
RS256: RSA with SHA-256. Uses a private key to sign and a public key to verify.
ES256: ECDSA with P-256 and SHA-256. Uses elliptic curves with shorter signatures.
PS256: RSA-PSS with SHA-256. A stronger RSA signing variant with probabilistic padding.
How to Use the JWT Decoder
- Paste your JWT: Copy and paste a JWT token into the input field. Decoding starts automatically.
- View the header: Open the Header tab to see algorithm, token type, and key ID.
- Inspect the payload: Open the Payload tab to see all claims with readable descriptions.
- Check expiration: The tool checks whether the token is expired or still valid.
- View the signature: Open the Signature tab to inspect the raw signature and algorithm info.
- Copy sections: Use copy buttons to copy decoded sections as formatted JSON.
Common JWT Use Cases
Authentication: A server issues a JWT after login, and the client sends it with later requests to prove identity.
Authorization: JWTs can contain roles or permissions so APIs can make access decisions.
Single Sign-On: JWTs help share authentication state across services through a central identity provider.
API Security: Stateless JWT authentication is common for REST, GraphQL, microservices, and serverless systems.
OAuth 2.0 / OpenID Connect: JWTs are used as access tokens, ID tokens, and sometimes refresh tokens.
Perfect For
- Backend developers
- Frontend developers
- API developers
- Security engineers
- DevOps engineers
- QA and testing teams
- Mobile app developers
- Microservices architects
- Identity and access management
- Students learning authentication
- Technical support teams
- Security auditors
JWT Security Best Practices
- Always verify the signature on the server side.
- Use short-lived tokens and refresh tokens where appropriate.
- Prefer strong algorithms such as RS256 or ES256 for production systems.
- Validate iss, aud, exp, and nbf claims on the server.
- Do not store sensitive data in JWT payloads because they are encoded, not encrypted.
- Transmit tokens only over HTTPS.
- Store tokens securely, for example in httpOnly cookies for web apps.
- Plan token revocation using short expiry, refresh rotation, or deny lists.
Complete Privacy Protection
All JWT decoding happens entirely in your web browser using JavaScript. Your tokens are never uploaded, stored, logged, or sent to any third party.
Learn JWT Fundamentals
New to JSON Web Tokens? Read our beginner-friendly guide covering token structure, claims, signing, and security best practices.
Read: What is JWT?Related Developer Tools
JSON Formatter
Format, validate, and beautify JSON data. Perfect for inspecting decoded JWT payloads.
Base64 Encoder
Encode and decode Base64 strings. JWTs use Base64URL encoding for header and payload.
Hash Generator
Generate hashes to compare integrity and signing workflows.
Password Generator
Generate strong secrets for JWT signing and application credentials.
Timestamp Converter
Convert Unix timestamps used by JWT exp, iat, and nbf claims.
UUID Generator
Generate UUIDs for JWT IDs, jti claims, and unique application identifiers.