JWT Decoder
Decode JWTs to inspect header, payload, and expiry status.
What is a JSON Web Token (JWT)?
A JWT is a compact token format used to securely transmit information between parties as a JSON object. JWTs are digitally signed using a secret (HMAC) or a public/private key pair (RSA or ECDSA), which means their contents can be trusted and verified.
How JWT Authentication Works
A JWT consists of three parts: the <strong class="text-zinc-700 dark:text-zinc-300">header</strong> (algorithm and token type), the <strong class="text-zinc-700 dark:text-zinc-300">payload</strong> (claims/data), and the <strong class="text-zinc-700 dark:text-zinc-300">signature</strong> (verification). Each part is Base64url-encoded and separated by dots.
JWT Security Best Practices
This approach is stateless — the server doesn't need to store session data, making it ideal for distributed systems and microservices.
Frequently Asked Questions
- What is a JWT?
- A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64url-encoded parts separated by dots: header.payload.signature. JWTs are commonly used for authentication and authorization in web applications.
- Can this tool verify JWT signatures?
- This tool decodes and displays the JWT contents (header and payload). Signature verification requires the secret key or public key, which should never be shared with online tools. Verify signatures server-side.
- Is it safe to paste my JWT here?
- Yes — all decoding happens in your browser. However, JWTs are bearer tokens: anyone who has the token can use it. Never share production JWTs in public places. For testing, use short-lived tokens or tokens from development environments.
- What are common JWT claims?
- Standard claims include: sub (subject/user ID), iss (issuer), exp (expiration time), iat (issued at), aud (audience), nbf (not before), and jti (JWT ID). Custom claims can contain any application-specific data.
- Why does my JWT show as expired?
- JWTs have an "exp" claim containing a Unix timestamp. If the current time is past that timestamp, the token is expired. Servers should reject expired tokens. Check the "exp" field in the decoded payload to see the exact expiry time.