JWT Decoder
Paste a JSON Web Token to instantly decode its header and payload.
Decoded entirely in your browser. Your token is never sent to a server.
Header Part 1 of 3
Payload Part 2 of 3
Signature Part 3 of 3
Signature cannot be verified without the secret / public key. This tool only decodes — it does not validate authenticity.
Frequently Asked Questions
- What is a JWT?
- A JSON Web Token (JWT) is a compact, URL-safe string used to transmit claims between parties. It has three Base64URL-encoded parts separated by dots:
header.payload.signature. - Can this tool verify the signature?
- No. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA). This tool only decodes — never trust a decoded JWT as authenticated without verifying the signature server-side.
- Is it safe to paste my token here?
- Decoding is 100% in-browser — nothing is sent to a server. Still, avoid pasting live production tokens that grant access to sensitive systems into any online tool.
- What are the standard JWT claims?
-
ississuer ·subsubject ·audaudience ·expexpiration ·nbfnot before ·iatissued at ·jtiJWT ID - What algorithms do JWTs use?
- Common algorithms are
HS256(HMAC-SHA256, symmetric),RS256(RSA-SHA256, asymmetric), andES256(ECDSA-SHA256). The algorithm is declared in the header'salgfield.