JWT Decoder
Decodes the header and payload of a JSON Web Token. Does not verify the signature
This tool runs in your browser. No data leaves your device.
How It Works
A JWT (JSON Web Token) has three parts: header, payload, and signature. The three
parts are separated by dots (.) and encoded with base64url.
This tool splits the token into its parts, shows the header and payload as JSON, and leaves the signature in its raw form.
Important warning
This tool does not verify the signature. The fact that a token “can be decoded” does not mean it is valid. In production, always:
- Verify the signature on the server side (the shared secret for HS256, the public key for RS256).
- Check the
exp(expiration) andnbf(not-before) claims. - Compare the
issandaudclaims against the values you expect.
Trusting the payload without these checks is no different from skipping authentication entirely.
Common claims
iss— who issued the token (issuer).sub— the subject the token refers to (subject), usually a user ID.aud— the party the token was issued for (audience).exp— expiration time (Unix timestamp).iat— when it was issued (Unix timestamp).nbf— the earliest time it becomes usable.jti— a unique token ID — for detecting replay attacks.
JWS vs JWE
This tool works only with JWS (signed but not encrypted) tokens. In JWE (encrypted) tokens, the payload is not JSON even after base64url decoding; in that case decoding fails.
Privacy
The token you paste is processed entirely in your browser. Even so, I’d recommend not pasting your production tokens — a token is a risk for as long as it sits anywhere it can leak from (history, clipboard, screen sharing).