πŸ” Security Tool

JWT Decoder

Decode JSON Web Tokens instantly β€” header, payload and claims. Nothing leaves your browser.

⚠️ Signature is NOT verified β€” this tool only decodes. Never paste production secrets. Everything runs 100% client-side; your token never leaves your browser.

JWT Input

Header

Decoded header will appear here…

Payload

Decoded payload will appear here…

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way of transmitting claims between two parties. It is widely used for API authentication and authorization: after a user logs in, the server issues a signed token that the client sends along with every subsequent request, letting the server identify the user without keeping session state. Because the payload is only base64url-encoded β€” not encrypted β€” anyone holding a token can read its contents, which is exactly what this decoder does.

JWT Structure: header.payload.signature

Every JWT is made of three dot-separated parts: header.payload.signature. The header declares the token type and the signing algorithm (such as HS256 or RS256). The payload carries the claims β€” standard ones like exp (expiry), iat (issued at), iss (issuer), sub (subject) and aud (audience), plus any custom data the application adds. The signature is a cryptographic hash of the first two parts computed with a secret or private key, which lets the server verify the token has not been tampered with.

Keep in mind that decoding a JWT proves nothing about its authenticity β€” only verifying the signature with the correct key does. This tool is meant for debugging and inspection: checking why a token was rejected, when it expires, or what claims your identity provider actually put inside it. Never share real production tokens, since anyone who obtains one can use it until it expires.