JWT Token Input

Decoded Output Live

Start typing JWT to see live preview...

JWT Decoder - Free Online JSON Web Token Inspector

Decode and inspect JWT tokens instantly. View header, payload claims, algorithm, and expiry. Free, browser-based, private - your token never leaves your device. Supports all JWT algorithms including HS256, RS256, ES256.

What Is a JWT? Complete Guide to JSON Web Tokens

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained method for securely transmitting information between parties as a JSON object. JWTs are widely used in modern web applications for authentication, authorization, and information exchange between microservices and APIs.

A JWT consists of three Base64URL-encoded parts separated by dots (.): Header.Payload.Signature. The header specifies the token type and signing algorithm. The payload carries claims - statements about the user and additional metadata. The signature verifies that the token has not been tampered with. Although the contents are encoded (not encrypted), the signature ensures integrity: anyone can read a JWT payload, but only the issuer with the secret key can create a valid signature.

JWTs are used as OAuth 2.0 access tokens, OpenID Connect ID tokens, API authentication credentials, and stateless session tokens in single-page applications (SPAs), mobile apps, and microservice architectures.

JWT Structure: Header, Payload, and Signature Explained

Part 1: Header

The header typically contains two fields:

{
  "alg": "HS256",
  "typ": "JWT"
}

The alg field specifies the signing algorithm. Common values: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA-SHA256), none (unsigned - dangerous). The kid (key ID) field is sometimes present for key rotation.

Part 2: Payload (Claims)

The payload carries claims:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Standard claims: sub (subject), iss (issuer), aud (audience), exp (expiration), iat (issued at), nbf (not before), jti (JWT ID). Custom claims can store any application-specific data.

Part 3: Signature

The signature is computed as:

HMACSHA256(
  base64url(header) + "." +
  base64url(payload),
  secret
)

The signature prevents tampering. It can only be verified by the party holding the secret key (symmetric) or the public key (asymmetric). This tool decodes JWTs but does not verify signatures - signature verification requires the secret/public key.

Example JWT Token Decoded

Raw JWT Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

JWT Use Cases: When and Why JWTs Are Used

OAuth 2.0 Access Tokens

OAuth 2.0 authorization servers issue JWT access tokens that clients include in API requests (Authorization: Bearer <token>). Resource servers validate the token's signature and claims without querying the authorization server, enabling stateless authentication at scale.

OpenID Connect (OIDC) ID Tokens

OIDC extends OAuth 2.0 with ID tokens - JWTs that carry identity claims about the authenticated user (name, email, profile picture, email verification status). Used by identity providers like Google, Microsoft, Auth0, Okta, and Keycloak.

Single Sign-On (SSO)

Enterprise SSO systems use JWTs to carry authenticated identity across multiple applications within an organization. The user authenticates once, receives a JWT, and that token grants access across all integrated apps without re-authentication. Common in SAML alternatives and modern identity platforms.

Microservice Authentication

In microservice architectures, service-to-service API calls are authenticated using JWTs. An API gateway validates incoming JWTs and may issue internal service tokens. JWTs carry user context (user ID, roles, permissions) without requiring each microservice to query a central user database.

API Key Authentication

Some APIs issue signed JWTs as long-lived API credentials. These can carry rate limit tiers, allowed scopes, and expiry information within the token itself, enabling the API to make authorization decisions without database lookups.

Session Tokens for SPAs and Mobile Apps

Single-page applications (React, Vue, Angular) and mobile apps commonly store JWTs in memory or localStorage to maintain authenticated sessions. The token is sent with each API request, allowing stateless backend APIs that do not maintain server-side session state.

JWT Security Best Practices

  • Never put sensitive data in JWT payloads. JWT payloads are only Base64URL-encoded, not encrypted. Anyone with the token can read the payload. For confidential data, use JWE (JSON Web Encryption) which encrypts the payload.
  • Always verify the signature on the server. Client-side JWT decoding (like this tool does) is for inspection only. Production servers must verify the cryptographic signature using a library like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java) before trusting any claims.
  • Use short expiration times (exp). Access tokens should typically expire in 15–60 minutes. Use refresh tokens for longer sessions. Short-lived tokens limit the damage if a token is stolen.
  • Validate all claims. Always check iss (issuer), aud (audience), exp (expiration), and nbf (not before) in addition to the signature.
  • Use strong algorithms. Prefer RS256 or ES256 (asymmetric) for production systems. HS256 requires securely sharing the secret key between token issuer and verifier. Never accept alg: none tokens.
  • Transmit only over HTTPS. JWTs in transit must be protected by TLS. Never send JWTs over unencrypted HTTP.
  • Do not paste production tokens into online tools. Use this tool only for development, testing, and debugging with non-production tokens.

Frequently Asked Questions About JWT Decoding

Can I decode any JWT without the secret key?

Yes. The header and payload of a JWT are Base64URL-encoded, not encrypted. Anyone with the token can decode and read them without knowing the secret key. This is by design - JWTs are meant to be readable. The signature prevents tampering with the claims, but does not hide them. This tool decodes the header and payload exactly as designed. For confidential payloads, JWE (JSON Web Encryption) provides actual encryption.

What is the difference between decoding and verifying a JWT?

Decoding reads the header and payload by Base64URL-decoding the first two parts of the token. Anyone can do this. Verifying a JWT means checking the cryptographic signature to confirm the token was issued by a trusted party and has not been modified. Verification requires the secret key (HS256) or public key (RS256/ES256) and must be done on the server side using a trusted JWT library - never on the client.

Is this JWT decoder safe to use with real tokens?

This tool processes JWTs entirely in your browser - no data is sent to any server. For development and testing tokens, it is safe. For production tokens containing live user sessions, access credentials, or PII, exercise caution with any online tool. As a best practice, never paste production security tokens into third-party websites, and rotate tokens after debugging sessions.

What does "JWT expired" mean?

JWTs include an exp (expiration) claim - a Unix timestamp after which the token is no longer valid. When decoding a JWT, check the exp value in the payload. If the current time is past the exp timestamp, the token has expired and should be rejected by the server. Clients need to refresh their token using a refresh token or re-authenticate.

What JWT algorithms are supported?

This tool decodes any JWT regardless of the signing algorithm because decoding does not require the secret key. Common algorithms include HS256 (HMAC-SHA256 symmetric), HS384, HS512, RS256 (RSA-SHA256 asymmetric), RS384, RS512, ES256 (ECDSA-SHA256), ES384, ES512, and PS256 (RSA-PSS). The algorithm is shown in the decoded header's alg field.

How do I decode a JWT in code?

In JavaScript: JSON.parse(atob(token.split('.')[1])) decodes the payload (works for ASCII; use proper Base64URL handling for Unicode). In Node.js, use the jsonwebtoken library: jwt.decode(token) for decoding only, or jwt.verify(token, secret) for verified decoding. In Python: import jwt; jwt.decode(token, options={"verify_signature": False}).

What is the difference between JWT, JWS, and JWE?

JWT (JSON Web Token) is the general standard. JWS (JSON Web Signature, RFC 7515) is a JWT with a cryptographic signature for integrity verification - this is what most people mean by "JWT." JWE (JSON Web Encryption, RFC 7516) encrypts the payload for confidentiality. A JWE has 5 parts instead of 3 and the payload is not readable without the decryption key.