JWT Decoder
Paste a JSON Web Token (JWT) to inspect its header and payload. Decoding happens entirely in your browser – nothing is sent to the server. No signature verification is performed.
JWT Input
Tip: You can decode tokens with or without a signature. For example:
header.payload or header.payload.signature.
Decoded Summary
Header
| alg | |
|---|---|
| typ | |
| kid |
Standard Claims
| sub | |
|---|---|
| iss | |
| aud | |
| exp | |
| iat | |
| nbf | |
| jti |
This tool decodes tokens but does not validate signatures or verify authenticity. Use it only for development and debugging.
Header JSON
Payload JSON
What Is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe token format used to represent claims between two parties. JWTs are commonly used for authentication and authorization in modern web and API applications.
A JWT is split into three Base64URL-encoded parts:
- Header – defines the algorithm and token type (for example,
algandtyp). - Payload – contains claims about the user or context (such as
sub,iss,exp). - Signature – ensures integrity and authenticity, when properly verified.
Common JWT Use Cases
- Representing authenticated user sessions in single-page and mobile applications.
- Passing user identity and permissions between microservices.
- Encoding claims for API access tokens and ID tokens (for example, OpenID Connect).
- Debugging tokens issued by identity providers (Auth0, AWS Cognito, Azure AD, etc.).
Security Reminder
This JWT decoder is designed for inspection and debugging only. It does not verify signatures or check whether the token is valid or trusted.
- Never assume a decoded JWT is trustworthy without verifying its signature and claims.
- Always validate
iss,aud,exp, and other critical claims in your own code. - Do not paste sensitive production tokens into tools you do not control.
Related Tools
Base64 Encoder / Decoder · Regex Tester · JSON / YAML / CSV Converter