JWT Token

Decoded

Paste a JWT token to decode it

About JWT Decoder

Decode JSON Web Tokens to inspect their header, payload, and signature. Detects expiration status, identifies signing algorithms, and explains registered claims — all processed entirely in your browser.

Real-time decoding on paste
Color-coded token parts
Expiration status check
Registered claim descriptions

Complete Guide to JSON Web Tokens (JWT)

Free Online JWT Decoder & Inspector

Decode and inspect JSON Web Tokens instantly with our free online JWT decoder. View the JOSE header, payload claims (including registered, public, and private claims), expiration status, and signing algorithm. Perfect for developers working with authentication, authorization, API tokens, and OAuth 2.0 / OpenID Connect flows.

Key Features

🔑 Header Inspection

  • View signing algorithm (HS256, RS256, etc.)
  • Token type identification
  • Key ID (kid) display
  • All JOSE header fields explained

📦 Payload Decoding

  • All claims displayed with descriptions
  • Timestamps converted to human-readable dates
  • Registered claims identified (iss, sub, aud, exp, etc.)
  • Custom claims displayed

⏰ Expiration Check

  • Automatic expiration detection
  • Expired / not expired badges
  • Human-readable expiry time
  • iat and nbf timestamps decoded

🎨 Color-Coded Display

  • Header highlighted in pink
  • Payload highlighted in purple
  • Signature highlighted in cyan
  • Visual separation of JWT parts

What is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe means of representing claims to be transferred between two parties. It's defined in RFC 7519 and is widely used for authentication and authorization across web applications, APIs, and microservices.

JWT Structure (3 parts separated by dots):

Header: Contains metadata about the token — the signing algorithm (alg) and token type (typ). Base64URL-encoded JSON.

Payload: Contains the claims — statements about the user or entity and additional metadata. Base64URL-encoded JSON.

Signature: Created by signing the encoded header and payload with a secret or private key. Used to verify the token hasn't been tampered with.

Registered JWT Claims

iss (Issuer): Identifies who issued the JWT (e.g., your authentication server URL).

sub (Subject): Identifies the user or entity the token is about (e.g., user ID).

aud (Audience): Identifies the intended recipient(s) of the token (e.g., API server).

exp (Expiration): Unix timestamp after which the token must not be accepted.

nbf (Not Before): Unix timestamp before which the token must not be accepted.

iat (Issued At): Unix timestamp when the token was issued.

jti (JWT ID): Unique identifier for the token — useful for preventing replay attacks.

Common Signing Algorithms

HS256 (HMAC + SHA-256): Symmetric algorithm — uses a single shared secret for signing and verification. Simple but requires securely sharing the secret.

RS256 (RSA + SHA-256): Asymmetric algorithm — uses a private key to sign and a public key to verify. Most popular for production systems and OAuth/OIDC.

ES256 (ECDSA + P-256 + SHA-256): Asymmetric algorithm using elliptic curves. Shorter keys and signatures than RSA with equivalent security.

PS256 (RSASSA-PSS + SHA-256): A more secure variant of RSA signing with probabilistic padding.

How to Use the JWT Decoder

  1. Paste your JWT: Copy and paste a JWT token into the input field — decoding starts automatically.
  2. View the header: Click the Header tab to see the algorithm, token type, and key ID.
  3. Inspect the payload: Click the Payload tab to see all claims with human-readable descriptions.
  4. Check expiration: The tool automatically checks if the token is expired or still valid.
  5. View the signature: Click the Signature tab to see the raw signature and algorithm info.
  6. Copy any section: Use the copy buttons to copy individual sections as formatted JSON.

Common JWT Use Cases

Authentication: After a user logs in, the server issues a JWT. The client sends this token with each subsequent request to prove identity without needing to re-authenticate.

Authorization: JWTs can contain roles or permissions claims, allowing APIs to make access control decisions without querying a database.

Single Sign-On (SSO): JWTs enable SSO across multiple services by sharing authentication state via tokens issued by a central identity provider.

API Security: Stateless JWT-based authentication is ideal for REST and GraphQL APIs, microservices, and serverless architectures.

OAuth 2.0 / OpenID Connect: JWTs are used as access tokens, ID tokens, and refresh tokens in OAuth 2.0 and OIDC flows.

Perfect For

  • Backend developers
  • Frontend developers
  • API developers
  • Security engineers
  • DevOps engineers
  • QA & testing teams
  • Mobile app developers
  • Microservices architects
  • Identity & access management
  • Students learning authentication
  • Technical support teams
  • Security auditors

JWT Security Best Practices

  • Always verify the signature: Never trust a JWT without verifying its signature on the server side.
  • Set short expiration times: Use short-lived tokens (e.g., 15 minutes) and refresh tokens for better security.
  • Use strong algorithms: Prefer RS256 or ES256 over HS256 for production systems.
  • Validate all claims: Always check iss, aud, exp, and nbf claims on the server.
  • Don't store sensitive data: JWTs are encoded, not encrypted — anyone can read the payload. Never include passwords or secrets.
  • Use HTTPS: Always transmit JWTs over HTTPS to prevent interception.
  • Store securely: Use httpOnly cookies instead of localStorage to prevent XSS attacks on web apps.
  • Implement token revocation: Use a token blacklist or short expiry with refresh tokens for revocation capability.

🔒 Complete Privacy Protection

All JWT decoding happens entirely in your web browser using JavaScript. Your tokens are never uploaded to our servers or any third party. No data is stored, logged, or transmitted. Your authentication tokens, API keys, and sensitive claims remain completely private and secure.

Learn JWT Fundamentals

New to JSON Web Tokens? Read our complete beginner-friendly guide covering token structure, claims, signing, and security best practices.

Read: What is JWT?

Related Developer Tools

JSON Formatter

Format, validate, and beautify JSON data instantly. Perfect for inspecting decoded JWT payloads.

64

Base64 Encoder

Encode and decode Base64 strings. JWTs use Base64URL encoding for header and payload.

#

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes. Understand the hashing used in JWT signatures.

Password Generator

Generate strong, secure passwords for JWT signing secrets and application credentials.

Timestamp Converter

Convert Unix timestamps to human-readable dates. JWT exp, iat, and nbf claims use Unix timestamps.

UUID

UUID Generator

Generate UUIDs for JWT IDs (jti claim) and unique identifiers in your application.