What Is the JWT Decoder?
Decode and inspect JSON Web Tokens (JWTs). View the header, payload, and signature separately with auto-formatting and claim explanations.
Why Use This Tool?
JWTs are the standard for authentication tokens in modern web APIs, but they're Base64-encoded and unreadable without a decoder. This tool breaks a JWT into its three parts and displays each section with syntax highlighting.
How to Use This JWT Decoder
- Paste your JWT token — Copy a JWT from your application, API response, or browser DevTools and paste it into the input field. JWTs have three base64-encoded parts separated by dots.
- Read the decoded header — The header section shows the algorithm (usually HS256 or RS256) and token type. This tells you how the token is signed.
- Inspect the payload — The payload contains the claims — user ID, email, roles, expiration time, and any custom data your API includes.
- Check expiration — The
exp claim shows when the token expires as a Unix timestamp. The tool converts this to a human-readable date so you can see if the token is still valid.
Tips and Best Practices
- → Never trust a JWT without verification. This tool decodes the payload but doesn't verify the signature. In production, always verify the signature server-side using the signing secret or public key.
- → JWTs are not encrypted. Base64 encoding is not encryption — anyone can decode a JWT and read its contents. Never store sensitive data (passwords, credit card numbers) in JWT claims.
- → Check the
exp and iat claims. The exp (expiration) and iat (issued at) timestamps help you debug authentication issues — a common cause of 401 errors is an expired token.
- → Use short expiration times. Access tokens should expire in minutes (15–60 min), not days. Use refresh tokens for longer sessions. This limits the damage if a token is compromised.
Frequently Asked Questions
Is it safe to paste JWTs here?
Yes — this tool runs entirely in your browser. No data is sent to any server. However, never paste production JWTs containing real user data into any online tool. Use this for development and debugging tokens.
What are the standard JWT claims?
Common claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Custom claims can contain any application-specific data.
Can this tool verify JWT signatures?
This tool decodes and displays JWT contents but does not verify signatures, as that requires the secret key or public key used to sign the token.
What is a JWT token?+
JWT (JSON Web Token) is a compact, URL-safe format for transmitting claims between two parties. It consists of three base64-encoded parts — header (algorithm), payload (claims/data), and signature (verification) — separated by dots. JWTs are the standard for API authentication and authorization.
What is the difference between HS256 and RS256?+
HS256 uses a shared symmetric secret — both the issuer and verifier need the same key. RS256 uses asymmetric keys — a private key signs the token and a public key verifies it. RS256 is preferred for distributed systems where you don't want to share the signing secret.
Can JWT tokens be hacked?+
JWTs can be compromised if the signing secret is weak or exposed, if the algorithm is set to 'none' (alg: none attack), or if tokens are transmitted over unencrypted connections. Always use strong secrets, validate the algorithm server-side, and transmit tokens over HTTPS only.
What is a JWT?+
A JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting claims between parties. It consists of three Base64-encoded parts separated by dots: header, payload, and signature.
Is it safe to decode JWTs online?+
Decoding a JWT only reads the header and payload — it does not verify the signature. This tool runs entirely in your browser; no data is sent to any server. Never share tokens containing sensitive data in non-secure contexts.
Built by Derek Giordano · Part of Ultimate Design Tools
Privacy Policy · Terms of Service