JWT Decoder
Decode and inspect JSON Web Tokens — header, payload, claims, and expiry status.
How It Works
A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two
parties. It consists of three base64url-encoded parts separated by dots: header.payload.signature.
The header declares the token type (typ) and the signing
algorithm (alg), such as HS256 (HMAC-SHA256) or RS256 (RSA-SHA256). The payload contains the claims — statements
about an entity (typically a user) and additional metadata. Common registered claims include iss (issuer), sub (subject), aud (audience), iat (issued at), and exp (expiration time).
The signature is computed by the issuer using the header, payload, and a secret or private key. You can always decode the header and payload — they are only encoded, not encrypted. However, you cannot verify the signature without the original secret or public key, which is why this tool decodes but does not verify. Never put sensitive data in a JWT payload unless the token is also encrypted (JWE).