JWT Decoder
Paste a JSON Web Token to inspect its header, payload, and standard claims. Expiry, issued-at, and not-before timestamps are shown as human-readable dates. Runs entirely in your browser — your token never leaves your device.
Decoded entirely in your browser. The token never leaves your device.
JWT structure
A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature. The header identifies the algorithm (e.g. HS256, RS256). The payload contains claims — statements about a user or session. The signature proves the token was issued by a trusted party.
Why decode-only?
Verifying a JWT signature requires the secret key (HS256) or the public key (RS256/ES256). These are never available in the browser for legitimate tokens. Decode-only is correct here: you see the claims, but only your backend can confirm the token is authentic.
Standard claims
The JWT spec (RFC 7519) defines standard claims: exp (expiration time), iat (issued at), nbf (not before), sub (subject), iss (issuer), aud (audience), and jti (JWT ID). Custom claims can be anything — your team defines them.
Learn more about JWTs
-
JWT Explained: What's Inside a JSON Web Token
The three Base64URL parts, every standard claim, and why JWTs are signed but not encrypted.
-
Implementing JWT Authentication in Node.js
Login endpoint, protected route middleware, and refresh token flow — with the security settings that matter.
-
JWT Security Pitfalls Every Developer Should Know
The
alg:noneattack, weak secrets, missingexpvalidation, and the localStorage trap. -
Debugging Common JWT Errors
TokenExpiredError, invalid signature, jwt malformed — the 5-step triage when auth breaks in production.
