Decode and inspect JWT tokens instantly. View header, payload claims, algorithm, and expiry. Free, browser-based, private - your token never leaves your device. Supports all JWT algorithms including HS256, RS256, ES256.
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained method for securely transmitting information between parties as a JSON object. JWTs are widely used in modern web applications for authentication, authorization, and information exchange between microservices and APIs.
A JWT consists of three Base64URL-encoded parts separated by dots (.): Header.Payload.Signature. The header specifies the token type and signing algorithm. The payload carries claims - statements about the user and additional metadata. The signature verifies that the token has not been tampered with. Although the contents are encoded (not encrypted), the signature ensures integrity: anyone can read a JWT payload, but only the issuer with the secret key can create a valid signature.
JWTs are used as OAuth 2.0 access tokens, OpenID Connect ID tokens, API authentication credentials, and stateless session tokens in single-page applications (SPAs), mobile apps, and microservice architectures.
The header typically contains two fields:
{
"alg": "HS256",
"typ": "JWT"
}The alg field specifies the signing algorithm. Common values: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA-SHA256), none (unsigned - dangerous). The kid (key ID) field is sometimes present for key rotation.
The payload carries claims:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}Standard claims: sub (subject), iss (issuer), aud (audience), exp (expiration), iat (issued at), nbf (not before), jti (JWT ID). Custom claims can store any application-specific data.
The signature is computed as:
HMACSHA256( base64url(header) + "." + base64url(payload), secret )
The signature prevents tampering. It can only be verified by the party holding the secret key (symmetric) or the public key (asymmetric). This tool decodes JWTs but does not verify signatures - signature verification requires the secret/public key.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}OAuth 2.0 authorization servers issue JWT access tokens that clients include in API requests (Authorization: Bearer <token>). Resource servers validate the token's signature and claims without querying the authorization server, enabling stateless authentication at scale.
OIDC extends OAuth 2.0 with ID tokens - JWTs that carry identity claims about the authenticated user (name, email, profile picture, email verification status). Used by identity providers like Google, Microsoft, Auth0, Okta, and Keycloak.
Enterprise SSO systems use JWTs to carry authenticated identity across multiple applications within an organization. The user authenticates once, receives a JWT, and that token grants access across all integrated apps without re-authentication. Common in SAML alternatives and modern identity platforms.
In microservice architectures, service-to-service API calls are authenticated using JWTs. An API gateway validates incoming JWTs and may issue internal service tokens. JWTs carry user context (user ID, roles, permissions) without requiring each microservice to query a central user database.
Some APIs issue signed JWTs as long-lived API credentials. These can carry rate limit tiers, allowed scopes, and expiry information within the token itself, enabling the API to make authorization decisions without database lookups.
Single-page applications (React, Vue, Angular) and mobile apps commonly store JWTs in memory or localStorage to maintain authenticated sessions. The token is sent with each API request, allowing stateless backend APIs that do not maintain server-side session state.
exp). Access tokens should typically expire in 15–60 minutes. Use refresh tokens for longer sessions. Short-lived tokens limit the damage if a token is stolen.iss (issuer), aud (audience), exp (expiration), and nbf (not before) in addition to the signature.alg: none tokens.Yes. The header and payload of a JWT are Base64URL-encoded, not encrypted. Anyone with the token can decode and read them without knowing the secret key. This is by design - JWTs are meant to be readable. The signature prevents tampering with the claims, but does not hide them. This tool decodes the header and payload exactly as designed. For confidential payloads, JWE (JSON Web Encryption) provides actual encryption.
Decoding reads the header and payload by Base64URL-decoding the first two parts of the token. Anyone can do this. Verifying a JWT means checking the cryptographic signature to confirm the token was issued by a trusted party and has not been modified. Verification requires the secret key (HS256) or public key (RS256/ES256) and must be done on the server side using a trusted JWT library - never on the client.
This tool processes JWTs entirely in your browser - no data is sent to any server. For development and testing tokens, it is safe. For production tokens containing live user sessions, access credentials, or PII, exercise caution with any online tool. As a best practice, never paste production security tokens into third-party websites, and rotate tokens after debugging sessions.
JWTs include an exp (expiration) claim - a Unix timestamp after which the token is no longer valid. When decoding a JWT, check the exp value in the payload. If the current time is past the exp timestamp, the token has expired and should be rejected by the server. Clients need to refresh their token using a refresh token or re-authenticate.
This tool decodes any JWT regardless of the signing algorithm because decoding does not require the secret key. Common algorithms include HS256 (HMAC-SHA256 symmetric), HS384, HS512, RS256 (RSA-SHA256 asymmetric), RS384, RS512, ES256 (ECDSA-SHA256), ES384, ES512, and PS256 (RSA-PSS). The algorithm is shown in the decoded header's alg field.
In JavaScript: JSON.parse(atob(token.split('.')[1])) decodes the payload (works for ASCII; use proper Base64URL handling for Unicode). In Node.js, use the jsonwebtoken library: jwt.decode(token) for decoding only, or jwt.verify(token, secret) for verified decoding. In Python: import jwt; jwt.decode(token, options={"verify_signature": False}).
JWT (JSON Web Token) is the general standard. JWS (JSON Web Signature, RFC 7515) is a JWT with a cryptographic signature for integrity verification - this is what most people mean by "JWT." JWE (JSON Web Encryption, RFC 7516) encrypts the payload for confidentiality. A JWE has 5 parts instead of 3 and the payload is not readable without the decryption key.
Discover more free developer tools that might interest you