JWT Decoder

What Is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. Defined by RFC 7519, JWTs are widely used in authentication and authorization systems, especially in OAuth 2.0 and OpenID Connect flows. A JWT consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature.

JWT Structure

The header specifies the token type (typically "JWT") and the signing algorithm (e.g., HS256, RS256, ES256). The payload contains claims — key-value pairs carrying the token's data, such as the subject (sub), issued-at time (iat), expiration (exp), and any custom claims your application defines. The signature is created by signing the header and payload with a secret key or private key, ensuring the token hasn't been tampered with.

Common JWT Claims

Standard registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). These claims have specific meanings defined by the specification. Applications can add any custom claims they need — common examples include email, roles, permissions, and name.

Security Considerations

JWTs are signed but not encrypted by default — anyone can decode the header and payload (that's exactly what this tool does). Never put sensitive information like passwords or credit card numbers in a JWT payload. This tool runs entirely in your browser, so your tokens are never sent to any server. For production use, always verify the signature server-side before trusting a JWT's claims, and always check the exp claim to reject expired tokens.