JWT Decoder - Decode JSON Web Tokens Online
Decode and inspect JWT header, payload, and signature instantly. Verify token expiration and claims — no data sent to server, 100% client-side.
Frequently Asked Questions
What is a JSON Web Token (JWT)?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (for verification). JWTs are commonly used for authentication and authorization in web applications.
How do I use this JWT Decoder?
Simply paste your JWT token in the input field. The tool automatically decodes it and displays the Header, Payload, and Signature in separate tabs. You can click on each tab to view the decoded JSON content. To verify the signature, enter your secret key (for HMAC) or public key (for RSA) in the verification section.
Is it safe to decode my JWT here?
Yes, this tool is 100% client-side. Your JWT token never leaves your browser - all decoding and verification happens locally using JavaScript. No data is sent to any server. However, you should never share JWTs containing sensitive information publicly, as the payload is only Base64-encoded, not encrypted.
What are JWT claims?
Claims are statements about an entity (typically the user) and additional data. Standard claims include: exp (expiration time), iat (issued at), nbf (not before), sub (subject), iss (issuer), aud (audience), and jti (JWT ID). Custom claims can also be added for application-specific data like user roles or permissions.
How does signature verification work?
JWT signatures ensure the token hasn't been tampered with. For HMAC algorithms (HS256, HS384, HS512), the signature is created using a secret key shared between parties. For RSA algorithms (RS256, RS384, RS512), an asymmetric key pair is used - private key for signing, public key for verification. This tool uses the Web Crypto API for secure verification.
Code Examples
// Decode JWT (without verification)
function decodeJWT(token) {
const [headerB64, payloadB64] = token.split('.');
const decodeBase64Url = (str) => {
const base64 = str.replace(/-/g, '+').replace(/_/g, '/');
return JSON.parse(atob(base64));
};
return {
header: decodeBase64Url(headerB64),
payload: decodeBase64Url(payloadB64)
};
}
const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';
const { header, payload } = decodeJWT(token);
console.log(payload);