JWT Decoder

Paste a JSON Web Token to decode its Header and Payload.

Encoded JWT (ey...)

Invalid JWT Format. Please check your token.

HEADER (Algorithm & Token Type)

{}

PAYLOAD (Data / Claims)

{}

What is a JSON Web Token (JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Understanding the JWT Structure

A standard JSON Web Token consists of three parts separated by dots (.):

Header: Typically consists of two parts: the type of the token (which is JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. Common claims include iss (issuer), exp (expiration time), and sub (subject).
Signature: Used to verify the message wasn't changed along the way. Our tool currently decodes the Header and Payload but does not verify the signature.

Why Decode JWTs?

As a backend or frontend developer handling authentication (like OAuth2 or user login systems), you often receive a JWT token from a server. Decoding the token allows you to inspect the data (such as user roles, email, or expiration timestamp) embedded within it to debug your application effectively.

Is it safe to paste my JWT here?

Yes, 100% safe. This JWT Decoder is built using pure JavaScript. All decoding happens directly inside your web browser. The token is never sent across the network, stored, or logged on our servers. However, you should still never share a production JWT with sensitive access rights in public forums.