JWT Decoder - Decode JSON Web Tokens Online
Decode and inspect JWT tokens instantly. View header, payload, and all claims. Debug authentication tokens without exposing your secret key.
What Is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, self-contained token format defined by RFC 7519. It encodes claims — statements about a user or system — as a JSON object that is digitally signed, ensuring the payload cannot be tampered with undetected.
A JWT consists of three Base64url-encoded parts separated by dots:
xxxxx.yyyyy.zzzzz
Header . Payload . SignatureJWT Structure Explained
Header
Specifies the token type and signing algorithm. Common algorithms:
HS256— HMAC-SHA256, symmetric (one shared secret)RS256— RSA-SHA256, asymmetric (private key signs, public key verifies)ES256— ECDSA with P-256, compact asymmetric
Payload — Standard Claims
| Claim | Meaning | Type |
|---|---|---|
iss | Issuer — who issued the token | string |
sub | Subject — usually the user ID | string |
aud | Audience — intended recipient | string/array |
exp | Expiration — Unix timestamp after which the token is invalid | number |
nbf | Not before — token not valid before this time | number |
iat | Issued at — creation Unix timestamp | number |
jti | JWT ID — unique ID for replay prevention | string |
Signature
Proves the token has not been tampered with. For HS256: HMAC-SHA256(base64url(header) + "." + base64url(payload), secret). Signature verification requires the secret or public key — decoding alone only shows the raw payload without confirming authenticity.
Common JWT Debugging Scenarios
- Token expired: Check the
expclaim — it is a Unix timestamp. This tool converts it to a human-readable date automatically. - Wrong audience: If your API rejects a valid-looking token, verify the
audclaim matches what your service expects. - Algorithm mismatch: The server may expect RS256 but the token header says HS256 — a common misconfiguration in OAuth setups.
- Missing custom claims: Some middleware requires specific claims (e.g.,
roles,tenant_id). Use the decoder to confirm they are present and correctly spelled. - Clock skew: If
iatornbfseem off, check that your server's system clock is synced via NTP.
Security Best Practices
- Always set short expiration times — 15 minutes for access tokens, up to 30 days for refresh tokens with rotation.
- Validate all claims server-side:
exp,iss, andaudat minimum. - Use asymmetric algorithms (RS256, ES256) when multiple services need to verify tokens — they only need the public key.
- Never store JWTs in
localStorage; preferHttpOnlycookies to mitigate XSS theft. - Guard against the "none" algorithm attack: ensure your library rejects tokens with
"alg": "none".
Frequently Asked Questions
What is a JWT token?
A JSON Web Token is a compact, URL-safe token with three parts: header (algorithm/type), payload (claims about the user), and signature (integrity proof). It is widely used for stateless authentication — the server signs user info so future requests can be verified without a database lookup.
Is it safe to decode a JWT in this online tool?
This decoder runs entirely in your browser — your token never leaves your machine. As a general security practice, avoid pasting production tokens with sensitive user data into any public tool. Use this for development and debugging tokens only.
Does decoding verify the JWT signature?
No. Decoding only extracts and displays the header and payload. Signature verification requires the secret (HMAC) or public key (RSA/ECDSA) and must be done server-side. Never make authorization decisions based solely on a decoded but unverified JWT.
What are common JWT claims?
Standard claims: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration), iat (issued at), nbf (not before), jti (unique ID). Applications commonly add custom claims like roles, email, or permissions.