JWT Decoder - Decode JSON Web Tokens Online Free
Decode and inspect JSON Web Tokens (JWT) to view header, payload, and signature information. Perfect for debugging authentication, understanding token contents, and verifying JWT structure without external libraries.
Why Use JWT Decoder?
- Instant Decoding: View JWT contents immediately
- Structure View: See header, payload, and signature separately
- Expiry Check: See when token expires or if it's already expired
- No Verification: Decode without needing the secret key
Common Use Cases
🔐 Debugging Auth
Inspect authentication tokens during development.
👤 User Claims
View user permissions and metadata in tokens.
⏰ Expiry Check
Verify token expiration times and validity.
🔍 API Testing
Examine tokens from API responses.
How to Use This Tool
- Paste Token: Copy your JWT token and paste it into the input field.
- View Parts: See the decoded header, payload, and signature automatically.
- Check Claims: Review user claims, expiry dates, and other token information.
💡 Tip: This tool only DECODES tokens (Base64). It doesn't verify signatures or require secrets.
JWT Token Decoder
Token Information
Understanding JWT Tokens
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts separated by dots (.):
JWT Structure
header.payload.signature
Header
Contains token type (JWT) and signing algorithm (HS256, RS256, etc.)
Payload
Contains claims (user data, permissions, expiry, etc.)
Signature
Verifies token hasn't been tampered with
Standard JWT Claims
- iss (Issuer): Who issued the token
- sub (Subject): Who the token is about (usually user ID)
- aud (Audience): Who the token is intended for
- exp (Expiration): When the token expires (Unix timestamp)
- nbf (Not Before): Token not valid before this time
- iat (Issued At): When the token was created
- jti (JWT ID): Unique identifier for the token
Example JWT
Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Signing Algorithms
Symmetric (HMAC)
- HS256: HMAC with SHA-256
- HS384: HMAC with SHA-384
- HS512: HMAC with SHA-512
Asymmetric (RSA/ECDSA)
- RS256: RSA with SHA-256
- ES256: ECDSA with SHA-256
- PS256: RSA-PSS with SHA-256
Security Considerations
- JWTs are encoded, NOT encrypted - don't store sensitive data
- Always verify the signature before trusting token contents
- Use HTTPS to prevent token interception
- Set appropriate expiration times (exp claim)
- Store tokens securely (HttpOnly cookies, not localStorage)
- This decoder doesn't verify signatures - it only decodes
Related Tools
- Base64 Encoder - Encode/decode Base64
- UUID Generator - Generate unique identifiers
- Regex Tester - Test JWT validation patterns