JWT Input
Header
Decoded header will appear hereβ¦
Payload
Decoded payload will appear hereβ¦
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way of transmitting claims between two parties. It is widely used for API authentication and authorization: after a user logs in, the server issues a signed token that the client sends along with every subsequent request, letting the server identify the user without keeping session state. Because the payload is only base64url-encoded β not encrypted β anyone holding a token can read its contents, which is exactly what this decoder does.
JWT Structure: header.payload.signature
Every JWT is made of three dot-separated parts: header.payload.signature. The header declares the token type and the signing algorithm (such as HS256 or RS256). The payload carries the claims β standard ones like exp (expiry), iat (issued at), iss (issuer), sub (subject) and aud (audience), plus any custom data the application adds. The signature is a cryptographic hash of the first two parts computed with a secret or private key, which lets the server verify the token has not been tampered with.
Keep in mind that decoding a JWT proves nothing about its authenticity β only verifying the signature with the correct key does. This tool is meant for debugging and inspection: checking why a token was rejected, when it expires, or what claims your identity provider actually put inside it. Never share real production tokens, since anyone who obtains one can use it until it expires.