JWT Decoder

A JWT (JSON Web Token) is a compact, URL-safe token used for authentication and information exchange between parties. Decoding a JWT lets you view the header (token type and algorithm), payload (claims and user data), and signature. Developers decode JWTs to debug authentication issues, inspect user permissions, or understand token contents during development.

Simply paste your JWT token into the input field and click 'Decode JWT'. The tool will immediately parse the token and display the header and payload in readable JSON format. You'll see all the claims, expiration times, issuer information, and any custom data stored in the token.

No, this decoder only displays the header and payload contents of the JWT - it does not verify the signature. Signature verification requires the secret key or public key, which should never be shared or entered into online tools. For security, always verify JWTs server-side using proper libraries with your secret keys.

A decoded JWT typically shows: the token type and signing algorithm in the header; and claims like 'iss' (issuer), 'sub' (subject), 'aud' (audience), 'exp' (expiration time), 'iat' (issued at), and any custom claims in the payload. This information helps you understand who issued the token, when it expires, and what permissions or data it contains.

Decoding JWTs client-side is generally safe since JWTs are designed to be readable by anyone - they're base64 encoded, not encrypted. However, never decode JWTs containing highly sensitive data using public online tools. This tool processes tokens entirely in your browser without sending data to servers, but avoid using it with production tokens containing sensitive information.

JWTs follow a standard structure with three base64-encoded parts separated by dots: header.payload.signature. The header describes the token type and algorithm, the payload contains the claims and data, and the signature ensures the token hasn't been tampered with. This structure makes JWTs compact and URL-safe while maintaining security.

Decoded JWTs contain an 'exp' (expiration) claim, which is a Unix timestamp. Compare this timestamp to the current time - if the current time is greater than the exp value, the token has expired. The decoder displays this timestamp in readable format to help you verify token validity.

'iat' (issued at) shows when the token was created, 'exp' (expiration time) indicates when it expires, and 'nbf' (not before) specifies when the token becomes valid. These timestamps help control token lifecycle and prevent token reuse across different time periods.

Yes! OAuth 2.0 access tokens and OpenID Connect ID tokens often use JWT format. Decoding them reveals scopes, permissions, user identifiers, and authentication details. This is invaluable for debugging authentication flows, verifying granted permissions, and troubleshooting integration issues.