JWT Decoder
Paste a JSON Web Token to decode and inspect its header, payload, claims, and expiry status. Everything runs in your browser — nothing is sent to a server.
This tool decodes JWTs. It does not verify signatures.
What is a JWT?
A JSON Web Token (JWT, pronounced “jot”) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. JWTs are the de facto standard for authentication in modern web applications and APIs. When a user logs in, the server creates a JWT containing claims about the user (their ID, roles, permissions) and signs it with a secret key or private key. The client stores this token and sends it with subsequent requests, typically in the Authorization header.
JWTs are stateless — the server doesn’t need to store session data because all necessary information is embedded in the token itself. This makes them ideal for distributed systems, microservice architectures, and single-page applications where maintaining server-side sessions is impractical. The trade-off is that JWTs cannot be revoked before expiry without maintaining a server-side blocklist, so short expiry times combined with refresh tokens are a common pattern.
JWT structure explained
Every JWT consists of three parts separated by dots: header.payload.signature. Each part is Base64URL-encoded (a URL-safe variant of Base64 that replaces + with - and / with _).
The header contains metadata — typically the signing algorithm (alg: HS256, RS256, ES256) and token type (typ: JWT). The payload carries the claims: registered claims like iss (issuer), sub (subject), exp (expiration), and iat (issued at), plus any custom claims your application needs. The signature is computed by signing the Base64URL-encoded header and payload with the algorithm specified in the header, using a secret (HMAC) or private key (RSA/ECDSA). The signature ensures the token hasn’t been tampered with — but it does not encrypt the content.
JWT security considerations
The most important thing to understand about JWTs is that they are not encrypted. Anyone who has the token can decode the header and payload — that’s exactly what this tool does with a simple atob() call. Signing only proves integrity (the token hasn’t been modified) and authenticity (it was issued by someone with the signing key). It does not provide confidentiality.
Never put sensitive information in a JWT payload — no passwords, API keys, personal data, or anything you wouldn’t want a user to read. Always validate tokens server-side: check the signature, verify the exp claim, and validate iss and aud to prevent token misuse across services. Use HTTPS to prevent token interception in transit.