JWT Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, signature, and claim details including expiration, issued at, and not-before timestamps.

Algorithm

HS256

Type

JWT

Signature

SflKxwRJSMeKKF2QT4fw...

Expires

11/20/2286, 5:46:39 PM

Status

✅ Valid

Expires In

95133 days

Issued At

1/18/2018, 1:30:22 AM

Age

3059 days ago

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 9999999999
}

Understanding JWT Structure

A JSON Web Token consists of three base64url-encoded parts separated by dots. The first part (header) contains the signing algorithm and token type. The second part (payload) contains the claims — statements about the user and metadata. The third part (signature) is used to verify the token hasn't been tampered with. While the header and payload are only encoded (anyone can read them), the signature ensures integrity.

Common Use Cases

  • API Authentication: Verify user identity across API requests without storing session state
  • Single Sign-On (SSO): Share authentication across multiple applications
  • Information Exchange: Securely transmit claims between parties
  • OAuth2 & OpenID Connect: Standard token format for modern auth protocols
  • Microservices: Pass user context between service boundaries

Frequently Asked Questions

What is a JWT token?
JWT (JSON Web Token) is an open standard for securely transmitting information between parties as a JSON object. A JWT consists of three parts separated by dots: a header (algorithm & token type), a payload (claims/data), and a signature (verification). JWTs are commonly used for authentication and authorization in web applications and APIs.
Is it safe to decode JWTs publicly?
Decoding a JWT is safe because it only reveals the base64-decoded content of the header and payload — this data is not encrypted, just encoded. Anyone with the token can read it. The security comes from the signature, which verifies the token hasn't been tampered with. Never share tokens containing sensitive data in public places. This tool processes everything in your browser — nothing is sent to any server.
How do I verify a JWT signature?
This tool decodes JWTs but does not verify the signature since that requires the secret key (for HMAC) or public key (for RSA/ECDSA). The signature verification must be done server-side using the appropriate key. The three most common algorithms are HS256 (symmetric, same key for sign and verify), RS256 (asymmetric, private key signs, public key verifies), and ES256 (ECDSA).
What are JWT claims?
Claims are statements about an entity (typically the user) and additional metadata. Standard claims include: `iss` (issuer), `sub` (subject), `aud` (audience), `exp` (expiration timestamp), `nbf` (not before), `iat` (issued at), and `jti` (JWT ID). Custom claims can be added for application-specific data like roles, permissions, or user preferences.
What is the difference between JWT, JWS, and JWE?
JWT is the general term for JSON Web Token. JWS (JSON Web Signature) is a JWT with a signature — the most common type, used for verification. JWE (JSON Web Encryption) is an encrypted JWT where the payload is encrypted so only the intended recipient can read it. Most JWTs in practice are JWS tokens.
How long should a JWT be valid?
JWT expiration depends on your security requirements. Access tokens typically expire in 15-60 minutes. Refresh tokens can last days or weeks. Short expiration times reduce the risk of stolen tokens but require more frequent refreshing. Always include an `exp` claim and validate it server-side. Never issue tokens with extremely long expiry (years).

Related Tools