Calcorithmevery number has an answer
πŸ”
All tools β†’
← Developer Tools

JWT Decoder

Decode and inspect JWT tokens without verifying the signature.

JWT Token
Header
Payload

What is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe way of transmitting claims between parties as a JSON object. Defined in RFC 7519, JWTs are widely used for authentication and authorisation in web applications. When a user logs in, a server issues a JWT. The client sends this token with subsequent requests, and the server verifies it without needing to query a database for every request.

JWT structure: three parts

A JWT consists of three Base64URL-encoded sections separated by dots: HEADER.PAYLOAD.SIGNATURE Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ← Header . eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ ← Payload . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ← Signature

The three parts decoded

Header
Algorithm and token type
Specifies the signing algorithm (HS256, RS256, ES256) and token type ("JWT"). Example: {"alg": "HS256", "typ": "JWT"}
Payload
Claims (user data)
Contains the "claims" β€” statements about the user and metadata. Standard claims: sub (subject), iat (issued at), exp (expiry), iss (issuer), aud (audience).
Signature
Integrity verification
Created by signing the encoded header + payload with a secret key. Verifying the signature proves the token was not tampered with.

⚠ Security: never trust unverified JWT claims

The payload of a JWT is Base64URL-encoded, not encrypted. Anyone who has the token can decode and read its contents β€” no secret key needed. This is why JWTs must never contain sensitive information like passwords. The signature is what prevents tampering: without the server's secret key, a modified token will fail verification. Always verify JWTs on the server using the appropriate library.

πŸ”’ Security rules for JWTs
  • Never store JWTs in localStorage β€” use httpOnly cookies to prevent XSS access
  • Set a short expiry (exp claim) β€” 15 minutes to 1 hour for access tokens
  • Always verify the signature on the server; never trust the decoded payload alone
  • Reject tokens signed with algorithm "none" β€” this is an attack vector
  • Include audience (aud) and issuer (iss) claims to prevent token reuse across services

Frequently asked questions

Is it safe to paste a JWT here?

Decoding happens entirely in your browser β€” nothing is sent to a server. Even so, avoid pasting production tokens that contain sensitive data into any online tool.

Does this verify the JWT signature?

No. It only decodes the header and payload so you can inspect them. Verifying the signature requires the secret or public key and must be done server-side.

Why can anyone read my JWT payload?

The payload is Base64URL-encoded, not encrypted. Never store secrets in a JWT β€” the signature only guarantees the token has not been tampered with, not that its contents are private.

What does the "exp" claim mean?

It is the expiry time as a Unix timestamp (seconds). After that moment the server should reject the token. This tool flags whether a pasted token is already expired.

What this tool does

Decodes a JSON Web Token (JWT) and displays the header and payload in formatted JSON. Also shows whether the token is expired. Does NOT verify the signature β€” for display purposes only.

Input fields explained
JWT Token
Paste the full JWT token here. It has three parts separated by dots: header.payload.signature. The header and payload are Base64Url encoded and can be decoded without the secret key.
πŸ’‘ Tips & context
β†’Never share JWTs in production β€” the payload may contain user data.
β†’JWT signatures are verified server-side with the secret key. This tool only decodes β€” not verifies.
β†’Common claims: sub (user ID), exp (expiry timestamp), iat (issued at), aud (audience).
iFormula / How it works

JWT tokens have 3 parts separated by dots: header.payload.signature All parts are Base64Url encoded. ⚠️ This tool only decodes β€” it does not verify the signature.

Related Developer Tools tools

JSON Formatter
Format, beautify and validate JSON data online
Regex Tester
Test regular expressions live
Diff Checker
Compare two texts side by side
HTML Minifier
Minify HTML code to reduce page size and improve load times
CSS Minifier
Minify and compress CSS code to shrink file size and speed up your site
SQL Formatter
Format and beautify SQL queries
Cron Parser
Parse and explain cron expressions
Color Picker
Pick colors and get HEX, RGB, HSL values