Paste a JWT token in the editor
to decode it
Paste any JWT and instantly see its decoded header, payload, and signature. All decoding happens in your browser — your tokens never leave your machine.
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It is widely used for authentication and information exchange between services.
A JWT consists of three base64url-encoded parts separated by dots:
| Part | Contents | Example |
|---|---|---|
| Header | Algorithm and token type | {"alg":"HS256","typ":"JWT"} |
| Payload | Claims (data) | {"sub":"user_42","exp":1893456000} |
| Signature | Integrity check | HMACSHA256(header + "." + payload, secret) |
The header and payload are simply base64url-encoded JSON — they are not encrypted. Anyone with the token can read them. The signature verifies that the token was issued by a trusted party and has not been tampered with.
The JWT specification defines a set of registered claim names with well-known meanings:
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who issued the token |
sub | Subject | Who the token is about (usually a user ID) |
aud | Audience | Who the token is intended for |
exp | Expiration | When the token expires (Unix timestamp) |
nbf | Not Before | Token not valid before this time |
iat | Issued At | When the token was issued |
jti | JWT ID | Unique identifier for the token |
Applications can also add any custom claims (e.g. role, email, permissions).
Yes. All decoding is done entirely in your browser using JavaScript. The token is never sent to any server. You can verify this by checking the browser network tab — no requests are made when you paste a token.
No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). This tool only decodes the token — it reads the header and payload without verifying authenticity.
It means the token does not contain an exp claim. Such tokens are valid indefinitely unless explicitly revoked. This is common for API keys and service account tokens.
Standard JWTs (JWS — JSON Web Signature) are signed, not encrypted. The payload is base64url-encoded, which is trivially reversible. Never put sensitive data like passwords in a JWT payload. For encrypted tokens use JWE (JSON Web Encryption) instead.
More Tools