JWT Decoder
Decode and inspect JWT tokens without verifying the signature.
What is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe way of transmitting claims between parties as a JSON object. Defined in RFC 7519, JWTs are widely used for authentication and authorisation in web applications. When a user logs in, a server issues a JWT. The client sends this token with subsequent requests, and the server verifies it without needing to query a database for every request.
JWT structure: three parts
A JWT consists of three Base64URL-encoded sections separated by dots:
HEADER.PAYLOAD.SIGNATURE
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 β Header
.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ β Payload
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c β SignatureThe three parts decoded
β Security: never trust unverified JWT claims
The payload of a JWT is Base64URL-encoded, not encrypted. Anyone who has the token can decode and read its contents β no secret key needed. This is why JWTs must never contain sensitive information like passwords. The signature is what prevents tampering: without the server's secret key, a modified token will fail verification. Always verify JWTs on the server using the appropriate library.
- Never store JWTs in localStorage β use httpOnly cookies to prevent XSS access
- Set a short expiry (exp claim) β 15 minutes to 1 hour for access tokens
- Always verify the signature on the server; never trust the decoded payload alone
- Reject tokens signed with algorithm "none" β this is an attack vector
- Include audience (aud) and issuer (iss) claims to prevent token reuse across services
Frequently asked questions
Is it safe to paste a JWT here?
Decoding happens entirely in your browser β nothing is sent to a server. Even so, avoid pasting production tokens that contain sensitive data into any online tool.
Does this verify the JWT signature?
No. It only decodes the header and payload so you can inspect them. Verifying the signature requires the secret or public key and must be done server-side.
Why can anyone read my JWT payload?
The payload is Base64URL-encoded, not encrypted. Never store secrets in a JWT β the signature only guarantees the token has not been tampered with, not that its contents are private.
What does the "exp" claim mean?
It is the expiry time as a Unix timestamp (seconds). After that moment the server should reject the token. This tool flags whether a pasted token is already expired.
Decodes a JSON Web Token (JWT) and displays the header and payload in formatted JSON. Also shows whether the token is expired. Does NOT verify the signature β for display purposes only.
JWT tokens have 3 parts separated by dots: header.payload.signature All parts are Base64Url encoded. β οΈ This tool only decodes β it does not verify the signature.