JWT Decoder

Decode and inspect JSON Web Token header, payload, and claims instantly

What Is a JSON Web Token (JWT)?

A JSON Web Token (JWT, pronounced “jot”) is an open standard defined by RFC 7519 for securely transmitting claims between two parties as a compact, URL-safe string. JWTs are the backbone of modern authentication: when you log into an API-backed application, the server issues a JWT that your client sends with every subsequent request to prove identity without hitting a session store.

A JWT consists of three Base64URL-encoded segments separated by dots:

  • Header — declares the signing algorithm (alg, typically HS256, RS256, or ES256) and token type (typ, always JWT).
  • Payload — contains claims: key-value pairs that carry data about the user and the token itself. Claims can be registered (standardized names like sub, exp, iss), public (custom but collision-resistant), or private (agreed between issuer and consumer).
  • Signature — a cryptographic hash of the header and payload, created with a secret (HMAC) or private key (RSA/ECDSA). The signature lets the server verify that the token hasn’t been tampered with.

The resulting string looks like eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U — three dot-separated segments that any Base64 decoder can read, which is exactly what this tool does.

How to Decode a JWT with This Tool

  1. Paste the full JWT string into the input field — the token typically starts with eyJ.
  2. Click Decode or press Ctrl+Enter. The tool splits the token at the dots, Base64URL-decodes each segment, and parses the header and payload as JSON.
  3. Inspect the decoded output: the header shows the algorithm and type, the payload shows all claims with proper indentation.
  4. Check token status — if the payload contains exp, iat, or nbf claims, the tool converts the Unix timestamps to human-readable dates and tells you whether the token is currently valid or expired.
  5. Copy the decoded result with the Copy button or Ctrl+Shift+C.

The tool also auto-decodes when you paste — if the input looks like a valid JWT (three dot-separated segments starting with ey), decoding happens instantly without clicking a button.

Standard JWT Claims Explained

Understanding the registered claims in a JWT payload is essential for debugging authentication issues:

ClaimFull NamePurpose
subSubjectWho the token represents — usually a user ID or email
issIssuerThe service or authority that created the token
audAudienceThe intended recipient (API, service, or client ID)
expExpirationUnix timestamp after which the token is invalid
iatIssued AtUnix timestamp when the token was created
nbfNot BeforeToken is invalid before this Unix timestamp
jtiJWT IDUnique identifier to prevent token replay

Beyond these registered claims, tokens typically carry custom claims like role, scope, permissions, or email — whatever the issuer needs the consumer to know without making a database call.

Common JWT Debugging Scenarios

Developers reach for a JWT decoder when something goes wrong in the auth flow. Here are the issues this tool helps diagnose:

“401 Unauthorized” on every request. Decode the token and check exp — the most common cause is an expired access token. If the token expired minutes ago, your refresh-token flow may be broken. If it expired days ago, the user’s session is genuinely stale.

Wrong user or missing permissions. Inspect sub and any role or scope claims. A common bug is issuing a token for user A but populating claims for user B, especially in multi-tenant systems where the wrong tenant context leaks into the token.

“Token not yet valid” errors. Check the nbf (Not Before) claim. If the issuing server’s clock is ahead of the consuming server’s clock, the token’s nbf can be in the consumer’s future, causing rejection. Clock skew between services is a frequent source of intermittent auth failures.

Algorithm confusion. Decode the header and verify the alg field. If your server expects RS256 (asymmetric) but the token says HS256 (symmetric), signature verification will fail — or worse, if the server naively accepts both, it opens the door to the classic algorithm confusion attack where an attacker signs with the public key as an HMAC secret.

Oversized tokens. JWTs go in HTTP headers, and most servers cap headers at 8 KB. If your token carries too many claims (large permission arrays, embedded user profiles), it can silently fail. Decode it and check the payload size — if it’s over 4 KB, consider moving data to a server-side session or a reference token pattern.

JWT vs Other Token Formats

FeatureJWTOpaque TokenSAMLSession Cookie
FormatJSON, Base64URL-encodedRandom stringXML, Base64-encodedServer-side ID
Self-containedYes — claims are in the payloadNo — requires server lookupYes — assertions in XMLNo — server stores state
Size200-2000 bytes typical32-64 bytes2000-10000 bytes32-64 bytes
RevocationHard — valid until expiryEasy — delete from databaseHard — valid until expiryEasy — delete session
Best forStateless APIs, microservices, SPAsSimple auth, easy revocationEnterprise SSO, SOAPTraditional web apps

JWTs dominate modern API authentication because they’re stateless — any service with the public key can validate them without calling an auth server. The tradeoff is revocation: you can’t invalidate a JWT before it expires without maintaining a blocklist, which partially defeats the stateless benefit. Short expiration times (5-15 minutes) with refresh tokens are the standard mitigation.

Security Best Practices for JWTs

  • Never store secrets in JWT payloads. The payload is Base64-encoded, not encrypted — anyone with the token can read it. This tool proves the point: paste any JWT and read every claim. Don’t put passwords, API keys, or PII in claims.
  • Always validate the signature server-side. Decoding a JWT is not the same as verifying it. This browser tool decodes for inspection; your server must cryptographically verify the signature before trusting any claim.
  • Use short expiration times. Access tokens should expire in 5-15 minutes. Use refresh tokens (stored securely, not in localStorage) to get new access tokens.
  • Pin the algorithm. Configure your server to accept only the algorithm you expect (RS256, ES256). Never let the token’s alg header dictate which algorithm the server uses — that’s the algorithm confusion vulnerability.
  • Prefer asymmetric algorithms for distributed systems. RS256 or ES256 let any service validate tokens with the public key, while only the auth server holds the private signing key. HS256 requires sharing the secret with every validating service.

Frequently Asked Questions

How do I decode a JWT online?

Paste the full JWT string (starting with eyJ...) into the input field and click Decode or press Ctrl+Enter. The tool splits the token at the two dots, Base64URL-decodes the header and payload segments, and displays the parsed JSON with proper indentation. Expiration and issued-at timestamps are converted to human-readable dates automatically.

What is a JSON Web Token (JWT)?

A JSON Web Token is a compact, URL-safe string defined by RFC 7519 for transmitting claims between two parties. It has three Base64URL-encoded sections separated by dots: header (algorithm and type), payload (claims like user ID, roles, and expiration), and signature (cryptographic proof that the token hasn't been tampered with). JWTs are the standard for stateless authentication in REST APIs, OAuth 2.0 flows, and single sign-on systems.

Can this tool verify JWT signatures?

This tool decodes and displays the JWT header and payload but does not verify the cryptographic signature. Signature verification requires the server's secret key (for HMAC) or public key (for RSA/ECDSA), which should never be pasted into a browser tool. Use this decoder to inspect token contents and debug claims — verify signatures server-side or with a local CLI tool like jose or jsonwebtoken.

Is my JWT data safe in this tool?

Yes. All decoding runs entirely in your browser using JavaScript. No data is sent to any server, ever. You can verify this by opening your browser's Network tab — there are zero outbound requests when you decode a token. That said, avoid pasting production tokens with sensitive claims on shared or public computers, and revoke any token you suspect has been exposed.

What do the standard JWT claims mean?

The most common registered claims are: sub (subject — who the token is about, typically a user ID), iss (issuer — the service that created the token), aud (audience — the intended recipient), exp (expiration time as a Unix timestamp), iat (issued at — when the token was created), nbf (not before — the token is invalid before this time), and jti (JWT ID — a unique identifier to prevent replay attacks). This tool decodes all of these and converts timestamps to readable dates.

Why does my JWT show as expired?

The tool compares the exp (expiration) claim in the payload against your computer's current time. If the expiration timestamp is in the past, the token is expired. Common causes: the token was issued with a short TTL (5-15 minutes is typical for access tokens), your system clock is wrong, or you're inspecting a token from a previous session. Check the Issued and Expires timestamps in the decoded output to see the token's full lifetime.

What is the difference between a JWT and an API key?

A JWT is a self-contained token that carries claims (user identity, permissions, expiration) inside its payload — the server can validate it without a database lookup. An API key is an opaque string that the server must look up in a database to determine who is calling and what they can do. JWTs are preferred for stateless authentication at scale; API keys are simpler and better for machine-to-machine integrations where revocation speed matters more than scalability.