JWT Decoder
Decode and verify JSON Web Tokens instantly
Quick Examples
💡 Test Signature Verification:
Use secret key: your-256-bit-secret for the first example
What is a JWT (JSON Web Token)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are digitally signed, which means the information can be verified and trusted.
A JWT consists of three parts separated by dots: Header, Payload, and Signature. The header typically consists of the token type (JWT) and the signing algorithm. The payload contains the claims or statements about an entity and additional data. The signature is used to verify the message wasn't changed along the way.
When Should You Decode JWTs?
Debugging & Development
Inspect JWT tokens during API development to verify claims, expiration times, and token structure
Security Analysis
Examine JWT contents to understand what information is being transmitted and validate security implementations
Token Expiration
Check expiration times (exp claim) and issued-at times (iat claim) to troubleshoot authentication issues
Integration Testing
Verify that third-party services are generating tokens with the correct claims and permissions
Understanding JWT Structure
Header
The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA. This is Base64Url encoded to form the first part of the JWT.
{
"alg": "HS256",
"typ": "JWT"
}Payload
The payload contains the claims, which are statements about an
entity (typically the user) and additional metadata. There are
three types of claims: registered, public, and private claims.
Common claims include sub (subject), iat (issued at), and exp (expiration).
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Signature
The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. To create the signature, you take the encoded header, the encoded payload, a secret, and the algorithm specified in the header, and sign that. This decoder displays the signature but cannot verify it without the secret key.
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Identifies the principal that issued the JWT |
| sub | Subject | Identifies the subject of the JWT |
| aud | Audience | Identifies the recipients for the JWT |
| exp | Expiration Time | Time after which the JWT expires |
| nbf | Not Before | Time before which the JWT must not be accepted |
| iat | Issued At | Time at which the JWT was issued |
| jti | JWT ID | Unique identifier for the JWT |
Frequently Asked Questions
Can this tool verify JWT signatures?
Yes! This tool can verify JWT signatures for HMAC-based algorithms (HS256, HS384, HS512). Simply click the "Verify Signature" button in the signature section and enter your secret key. The verification happens entirely in your browser. Note that RSA and ECDSA algorithms (RS256, ES256, etc.) require public key verification which is not currently supported.
Is it safe to enter my secret key for verification?
All signature verification happens entirely in your browser - no data is ever sent to any server. However, as a security best practice, only use this feature with development/test keys, never with production secret keys. For production debugging, use server-side verification tools in your secure environment.
Is it safe to decode JWTs with sensitive data?
Yes, this tool runs entirely in your browser. No data is sent to any server. However, remember that JWT payloads are only Base64-encoded, not encrypted, so they should never contain sensitive information like passwords.
What does "Token Expired" mean?
If a JWT includes an "exp" (expiration) claim and that time has passed, the token is considered expired. Expired tokens should not be accepted by services for authentication or authorization.
Why won't my JWT decode?
JWTs must have exactly three parts separated by dots (header.payload.signature). If your token doesn't decode, check for extra spaces, missing dots, or corrupted Base64 encoding. Also ensure you're pasting the complete token.
Can I use this for production debugging?
Yes, since all processing happens client-side in your browser, this tool is safe for production debugging. However, always follow your organization's security policies regarding token handling.