JWT Decoder

Decode and inspect JSON Web Tokens

About JWT

  • • JWT consists of three parts: Header, Payload, and Signature
  • • This tool only decodes the token - it doesn't verify the signature
  • • Never share JWT tokens containing sensitive information
  • • Common claims: iss (issuer), sub (subject), aud (audience), exp (expiration)

Understanding JSON Web Tokens (JWT)

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. JWTs are widely used in modern web applications for authentication, authorization, and information exchange.

JWT Structure

Every JWT consists of three parts separated by dots: Header.Payload.Signature. The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains claims — statements about the user and additional metadata such as expiration time. The signature ensures the token has not been tampered with.

Common Use Cases

  • Authentication: After login, the server issues a JWT. The client sends it with each request to access protected resources.
  • Single Sign-On (SSO): JWTs enable seamless authentication across multiple applications and services.
  • API Authorization: Microservices use JWTs to verify that requests come from authenticated users with the correct permissions.
  • Information Exchange: JWTs can securely carry user profile data between services without requiring additional database lookups.

Security Note

This decoder only reads the token payload — it does not verify the signature. Never paste production tokens containing sensitive data into online tools. JWTs are encoded (Base64URL), not encrypted, meaning anyone can read the payload. Always validate tokens server-side in production environments.