Is it safe to paste my JWT here?

Yes. All decoding happens entirely in your browser using JavaScript. No data is sent to any server.

Can this tool verify JWT signatures?

This tool decodes and displays JWT contents. Full cryptographic signature verification requires the signing secret or public key, which is not sent to the browser for security reasons.

What JWT algorithms are supported?

The decoder works with any JWT regardless of algorithm (HS256, RS256, ES256, etc.). It decodes the Base64URL-encoded header and payload without needing the signing key.

JWT Decoder & Validator

Decode, inspect, and validate JSON Web Tokens. View header, payload, and signature details instantly in your browser.

Encoded Token

HEADERAlgorithm: HS256

{
  "alg": "HS256",
  "typ": "JWT"
}

PAYLOADIssued: Jan 18, 2018, 01:30:22

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

SIGNATUREPresent

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

This tool decodes JWT tokens for inspection only. No signature verification is performed. Never trust unverified tokens in production.

How to Use the JWT Decoder

Paste a JSON Web Token into the input field. The tool instantly decodes the Base64URL-encoded header and payload, displaying the contents in a readable JSON format. The signature section shows the algorithm used.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts separated by dots: a header (algorithm and token type), a payload (claims and data), and a signature (for verification).

JWT Structure

Header — Contains the signing algorithm (e.g., HS256, RS256) and token type (JWT).
Payload — Contains claims: registered (iss, exp, sub), public, and private claims.
Signature — Created by signing the encoded header and payload with a secret or private key.

Common JWT Claims

iss (Issuer) — Who issued the token.
sub (Subject) — The subject of the token.
exp (Expiration) — When the token expires (Unix timestamp).
iat (Issued At) — When the token was issued.
aud (Audience) — Intended recipient of the token.

Related Guides

What is JWT? JSON Web Tokens Explained — understand the structure, claims, and security of JWTs
How to Debug JWT Authentication Issues — step-by-step troubleshooting for common JWT errors
Hashing Explained: MD5, SHA-256 & More — the cryptography behind JWT signatures

How to Debug JWT Authentication Issues

Decode JWTs, read claims, and fix the 5 most common auth errors — expired tokens, wrong audience, algorithm mismatch, and more.

What is JWT? JSON Web Tokens Explained

Learn what JSON Web Tokens are, how they work, their structure (header, payload, signature), and when to use them for authentication and authorization.