JWT Decoder

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims transferred between two parties. It's widely used for authentication: after you log in, a server issues you a JWT, and you send that token with subsequent requests to prove who you are.

Anatomy of a JWT

A JWT has three parts separated by dots: header.payload.signature. Each part is Base64URL-encoded JSON (the signature is a binary hash encoded the same way):

• Header: typically {"alg":"HS256","typ":"JWT"} — declares the signing algorithm.
• Payload: the "claims" — sub (subject), exp (expiration), iat (issued at), plus any custom fields.
• Signature: a cryptographic proof that the header + payload have not been tampered with.

Common Claims

• iss — issuer (who created the token)
• sub — subject (who the token is about)
• aud — audience (who the token is for)
• exp — expiration time (Unix timestamp)
• iat — issued at (Unix timestamp)
• nbf — not before (Unix timestamp)

This Tool Decodes, It Does Not Verify

Decoding a JWT only reads the payload — it doesn't check whether the signature is valid. You should never trust a JWT's contents on your server without verifying the signature against the issuer's key. This tool is for inspection and debugging only.

Security Note

Anyone who sees a JWT can read its payload — Base64 is not encryption. Don't put sensitive information (passwords, personal data) into a JWT payload. Treat JWTs like bearer tokens: if someone steals one, they can impersonate the user until it expires.