JWT Decoder
Decode and inspect JSON Web Tokens. Paste your JWT below to view the header and payload:
What is a JWT?
JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. JWTs are commonly used for authentication and authorization in web applications and APIs.
JWT Structure
A JWT consists of three parts separated by dots:
header.payload.signature| Part | Contents | Purpose |
|---|---|---|
| Header | Algorithm, token type | Describes how the token is signed |
| Payload | Claims (user data) | Contains the actual data/claims |
| Signature | Encrypted hash | Verifies the token is authentic |
Common JWT Claims
The payload typically contains these standard claims:
| Claim | Name | Description |
|---|---|---|
sub | Subject | Who the token is about (usually user ID) |
iat | Issued At | When the token was created (Unix timestamp) |
exp | Expiration | When the token expires (Unix timestamp) |
iss | Issuer | Who issued the token |
aud | Audience | Intended recipient of the token |
Security Considerations
Important: This tool decodes JWTs but does not verify signatures. Anyone can decode a JWT and read its contents — the signature only prevents tampering.
- Never trust a JWT without verifying its signature on your server
- Don't store sensitive data in JWT payloads (they're not encrypted)
- Always check the
expclaim to reject expired tokens - Validate the
issandaudclaims match expected values
JWT vs Session Cookies
| Feature | JWT | Session Cookie |
|---|---|---|
| Storage | Client-side | Server-side |
| Scalability | Stateless, easy to scale | Requires session store |
| Revocation | Harder (needs blocklist) | Easy (delete session) |
| Size | Larger (contains data) | Small (just an ID) |
Working with JWTs in Code
JavaScript
// Decode without verifying (like this tool)
function decodeJWT(token) {
const payload = token.split('.')[1];
return JSON.parse(atob(payload));
}
// With a library (recommended for verification)
import jwt from 'jsonwebtoken';
const decoded = jwt.verify(token, secretKey);Python
import jwt
# Decode without verifying
decoded = jwt.decode(token, options={"verify_signature": False})
# Decode with verification
decoded = jwt.decode(token, secret_key, algorithms=["HS256"])Related Tools
- Base64 Encode/Decode — Encode or decode Base64 data
- JSON Validator — Validate JSON syntax
- JSON Pretty Print — Format JSON for readability
Frequently Asked Questions
Is it safe to decode a JWT in the browser?
Yes, decoding is safe. JWTs are not encrypted — they're just Base64-encoded. The signature protects against tampering, not reading. Never put sensitive information in a JWT that you wouldn't want users to see.
Why does my JWT show as expired?
The exp claim is a Unix timestamp. If the current time is past this value, the token is expired. Tokens typically expire in minutes to hours for security.
Can I verify the signature with this tool?
No. Signature verification requires the secret key or public key used to sign the token, which should never be shared publicly. Use server-side code to verify signatures.