JWT Token Input
No Token to Decode
Paste a JWT token above to decode and inspect its contents.
Privacy First
All JWT decoding happens locally in your browser. Your tokens are never sent to any server. However, be cautious about sharing decoded tokens as they may contain sensitive information.
JWT Tips
This tool decodes tokens but doesn't verify signatures. Always verify signatures server-side.
Check the 'exp' claim to see when tokens expire. Expired tokens should be refreshed.
JWTs are encoded, not encrypted. Never store sensitive data in tokens that shouldn't be readable.
About JWT Decoder
Decode and inspect JSON Web Tokens (JWT) instantly with our free online JWT decoder. View the decoded header (algorithm, token type), payload (claims like sub, iat, exp, iss, aud), and signature. Check if tokens are expired, see timestamps in human-readable format, and copy decoded data with one click. Perfect for debugging authentication, verifying API tokens, and understanding JWT structure. All processing happens locally in your browser - your tokens are never sent to any server.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and information exchange in web applications. The token consists of three parts:
Header
Contains metadata about the token, including the signing algorithm (alg) and token type (typ).
Payload
Contains the claims - statements about the user and additional data like expiration time.
Signature
Verifies the token hasn't been tampered with, created using the header, payload, and a secret key.
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Identifies who issued the token |
| sub | Subject | Identifies who the token is about (usually user ID) |
| aud | Audience | Identifies intended recipients of the token |
| exp | Expiration | Unix timestamp when the token expires |
| iat | Issued At | Unix timestamp when the token was created |
| nbf | Not Before | Token is not valid before this time |
| jti | JWT ID | Unique identifier for the token |
Common Use Cases
- Authentication - Verify user identity after login without querying database
- Authorization - Include user roles/permissions to control access
- Information Exchange - Securely transmit data between services
- API Security - Protect API endpoints with bearer token authentication
- Single Sign-On (SSO) - Share authentication across multiple applications
- Stateless Sessions - Store session data in the token instead of server
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts separated by dots: header (algorithm and token type), payload (claims/data), and signature (for verification).
Can this tool verify JWT signatures?
This tool decodes and displays the JWT contents but does not verify signatures, as that would require the secret key or public key. For signature verification, you need access to the signing key on your server.
What are common JWT claims?
Common claims include: sub (subject - who the token is about), iss (issuer - who created the token), exp (expiration time), iat (issued at), nbf (not before), aud (audience - intended recipient), and jti (JWT ID - unique identifier).
Why is my token showing as expired?
The exp (expiration) claim contains a Unix timestamp. If the current time is past this timestamp, the token is expired. Tokens are typically short-lived (minutes to hours) for security reasons.
Is it safe to paste my JWT here?
Yes! All decoding happens entirely in your browser using JavaScript. Your token is never sent to any server. However, never share JWTs publicly as they may contain sensitive information.
What algorithms are used in JWTs?
Common algorithms include HS256 (HMAC with SHA-256, symmetric), RS256 (RSA with SHA-256, asymmetric), and ES256 (ECDSA with SHA-256). The algorithm is specified in the header's "alg" field.