Paste a JWT token to instantly decode the header and payload. Check expiration status. No data is sent to any server โ ever.
A JSON Web Token (JWT) is an open standard (RFC 7519) for transmitting information between parties as a compact, URL-safe string. JWTs are commonly used for authentication and authorization โ when a user logs in, the server issues a JWT that the client sends with subsequent requests to prove identity.
A JWT consists of three Base64URL-encoded sections separated by dots. The header contains the token type and signing algorithm (e.g. HS256, RS256). The payload contains "claims" โ statements about the user or session, such as user ID, email, roles, and expiration time. The signature is a cryptographic hash of the header and payload, used to verify the token hasn't been tampered with.
sub (subject) โ the entity the token refers to, typically a user ID. iss (issuer) โ who created the token. aud (audience) โ who the token is intended for. exp (expiration) โ Unix timestamp after which the token is invalid. iat (issued at) โ when the token was created. nbf (not before) โ token is not valid before this time.
Verifying a JWT signature requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms). Exposing a secret key in client-side JavaScript would be catastrophic. Signature verification must always happen on your server. This tool is only for inspecting and debugging the contents of a token โ never for security-critical verification.
JWT decoders are useful for checking whether a token has expired, inspecting which claims are present, debugging authentication issues between services, verifying the algorithm field matches your expectations, and understanding what user data is embedded in a token you received from a third-party provider.