What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64url-encoded parts separated by dots: a header, a payload, and a signature. JWTs are widely used for authentication and secure information exchange between parties.

Can this tool verify JWT signatures?

This tool decodes and inspects the JWT structure but does not verify cryptographic signatures. Signature verification requires the secret key or public key used to sign the token, which should never be shared with client-side tools.

Is it safe to paste my JWT into this tool?

Yes. This tool runs entirely in your browser using JavaScript. No data is sent to any server. Your token stays completely private on your device. You can verify this by checking the Network tab in your browser's Developer Tools.

What does it mean when a JWT is expired?

A JWT is expired when the current time has passed the value in the 'exp' (expiration time) claim. Expired tokens should be rejected by servers and not used for authentication. The exp claim is a Unix timestamp representing the exact second the token becomes invalid.

What is the difference between JWS and JWE?

JWS (JSON Web Signature) is a signed JWT where the payload is readable but integrity-protected. JWE (JSON Web Encryption) is an encrypted JWT where the payload is both integrity-protected and confidential. Most JWTs in practice are JWS tokens. This tool decodes JWS tokens.

What are common JWT claims like iss, sub, aud, exp, and iat?

These are registered JWT claims defined in RFC 7519: 'iss' (issuer) identifies who issued the token, 'sub' (subject) identifies the principal, 'aud' (audience) identifies the recipients, 'exp' (expiration time) sets when the token expires, and 'iat' (issued at) records when the token was created.

JWT Decoder & Inspector

Decode and inspect JSON Web Tokens instantly — free and private

Instant decoding | 100% client-side

JWT Token Input

Quick Reference

JWT has 3 parts separated by dots
Header specifies algorithm & token type
Payload contains claims (user data)
Signature ensures token integrity

Registered Claims

iss Issuer of the token
sub Subject (user identifier)
aud Audience (intended recipient)
exp Expiration time
iat Issued at time
nbf Not valid before time
jti Unique token identifier

100% Private

All decoding happens locally in your browser. No token data is ever sent to any server.

What Is a JSON Web Token?

Understanding the compact, self-contained token format used for secure authentication and data exchange

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, URL-safe way to transmit information between parties as a JSON object. The token is digitally signed using a secret (HMAC) or a public/private key pair (RSA, ECDSA), which ensures the claims cannot be altered after the token is issued.

JWTs are widely used in modern web applications for stateless authentication, single sign-on (SSO), and API authorization. Because the token is self-contained — carrying all the information needed to verify the user — servers do not need to query a database or session store on every request.

Header

The header typically contains two fields: alg (the signing algorithm, e.g. HS256 or RS256) and typ (the token type, usually "JWT"). It is Base64url-encoded to form the first part of the token.

Payload

The payload contains claims — statements about the user and additional metadata. Claims can be registered (iss, sub, exp), public, or private. The payload is Base64url-encoded but not encrypted, so sensitive data should not be stored here.

Signature

The signature is created by signing the encoded header and payload with a secret key or private key. It ensures the token has not been tampered with. The recipient verifies the signature using the same secret or the corresponding public key.

JWT Structure Explained

A detailed breakdown of each component in a JSON Web Token

Token format: A JWT consists of three Base64url-encoded strings separated by dots (.)

header . payload . signature

Part	Purpose	Encoding
Header	Declares the token type and signing algorithm	Base64url(JSON)
Payload	Contains claims (user data, permissions, timestamps)	Base64url(JSON)
Signature	Ensures integrity and authenticity of the token	Base64url(HMAC/RSA(header.payload, secret))

Important: Base64url encoding is not encryption. Anyone can decode the header and payload. Never store sensitive information (passwords, credit card numbers) in a JWT payload. The signature only guarantees the data has not been tampered with — it does not hide the data.

Frequently Asked Questions

Common questions about JSON Web Tokens and this decoder tool

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and type), a payload (claims and data), and a signature (integrity verification). JWTs are widely used for authentication, authorization, and secure information exchange between services.

No. This tool decodes and inspects the JWT structure (header, payload, and signature) but does not perform cryptographic signature verification. Verifying a signature requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms), which should never be shared with client-side tools. Use server-side libraries for signature verification.

Yes. All processing happens entirely in your browser using JavaScript. No token data is transmitted to any server. You can verify this by opening your browser's Developer Tools (Network tab) — no requests are made when you decode a token. The tool works fully offline once the page has loaded.

A JWT is expired when the current time has passed the value in the exp (expiration time) claim. The exp claim is a Unix timestamp (seconds since January 1, 1970). Expired tokens should be rejected by servers and should not be used for authentication or authorization. This tool flags expired tokens with a visual warning.

The most commonly used algorithms are: HS256 (HMAC with SHA-256) — a symmetric algorithm using a shared secret; RS256 (RSA with SHA-256) — an asymmetric algorithm using a public/private key pair; and ES256 (ECDSA with SHA-256) — an asymmetric algorithm using elliptic curve cryptography. HS256 is the simplest to implement, while RS256 and ES256 are preferred for distributed systems where only the issuer should sign tokens.

Standard Base64 uses the characters + and /, which have special meaning in URLs and file paths. Base64url replaces + with - and / with _, and removes padding = characters. JWTs use Base64url encoding so that tokens can be safely transmitted in URLs, HTTP headers, and query parameters without additional encoding.