JWT Decoder
Decode and inspect JSON Web Tokens
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting claims between parties. It consists of three Base64URL-encoded parts — Header, Payload, and Signature — separated by dots. JWTs are not encrypted by default: anyone can read the payload.
What is a JWT?
A JSON Web Token (JWT) is an open standard (RFC 7519) for creating compact, self-contained tokens that securely represent claims between two parties. JWTs are widely used in authentication and authorization flows, especially in OAuth 2.0 and OpenID Connect protocols.
The key advantage of JWTs is that they are self-contained: the token itself carries all the information needed to verify its authenticity and extract user claims, without requiring a database lookup on every request.
How JWTs Work
A JWT consists of three parts separated by dots (.):
header.payload.signatureEach part is Base64URL-encoded (a URL-safe variant of Base64):
- Header — Specifies the algorithm (e.g., HS256, RS256) and token type
- Payload — Contains the claims (data) such as user ID, roles, and expiration
- Signature — Created by signing the header and payload with a secret or private key
When a server receives a JWT, it recalculates the signature using the header and payload with the known secret/key. If the signatures match, the token is authentic and untampered.
Standard Claims
The JWT specification defines several registered claims:
| Claim | Name | Description |
|---|---|---|
sub | Subject | The principal that is the subject of the JWT (usually a user ID) |
iss | Issuer | The entity that issued the token |
aud | Audience | The recipients the token is intended for |
exp | Expiration Time | Unix timestamp after which the token must not be accepted |
iat | Issued At | Unix timestamp when the token was created |
nbf | Not Before | Unix timestamp before which the token must not be accepted |
jti | JWT ID | Unique identifier for the token, useful for preventing replay attacks |
Common Use Cases
- Authentication: After login, the server issues a JWT that the client includes in subsequent requests (typically in the
Authorization: Bearerheader) - Single Sign-On (SSO): JWTs enable users to authenticate once and access multiple services without re-entering credentials
- API authorization: Microservices validate JWTs independently without calling a central auth server
- Information exchange: JWTs can carry arbitrary claims between parties with integrity guarantees
Try These Examples
A standard JWT signed with HMAC SHA-256. Contains subject, name, and issued-at claims in the payload.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c A structurally valid JWT but with an expiration time (exp) set in the past (January 2018). The decoder will flag it as expired.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkV4cGlyZWQgVXNlciIsImV4cCI6MTUxNjIzOTAyMiwiaWF0IjoxNTE2MjM5MDIyfQ.4t2RVjhVGEVS5U7IjJhN_AH-kK5jPFBdNzHgyK92mgQ A string with dots but not valid Base64URL-encoded segments. The decoder will fail to parse the header and payload.
not.a.valid.jwt.token