JWT Decoder

A Complete Guide to Our JSON Web Token (JWT) Decoder

Welcome to our secure, client-side JWT Decoder. This free online tool is an essential utility for any developer, security professional, or individual working with modern authentication systems. It allows you to instantly decode JWTs (JSON Web Tokens) and inspect their contents in a clean, human-readable format. Simply paste your token into the text area, and our tool will parse the Header and Payload, displaying them as formatted JSON.

The single most important feature of this online JWT decoder is its security. All decoding and processing happen 100% within your browser. Your tokens are never sent to our server. This client-side approach ensures that your sensitive information, such as authentication tokens, API keys, or private user data, remains completely private. You can debug any JWT token with full confidence.

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe open standard (defined by RFC 7519) used to securely transmit information between parties as a JSON object. Because this information is digitally signed, it can be verified and trusted. JWTs are stateless and self-contained, meaning all the information needed to authenticate a user is contained within the token itself. This makes them an extremely popular choice for modern web and mobile applications, particularly for handling authentication and information exchange.

You can easily identify a JWT by its three-part structure, with each part separated by a dot (`.`): `header.payload.signature`.

The Three Parts of a JWT Explained

When you use our JWT decoder, you are viewing the decoded versions of the first two parts of the token.

1. The Header (Metadata)

The first part of the token is the JWT Header. It is a JSON object that is Base64Url-encoded. It typically consists of two key-value pairs:

• `typ` (Type): This declares the type of the token, which is almost always `"JWT"`.
• `alg` (Algorithm): This specifies the signing algorithm used to create the signature. Common algorithms include `HS256` (HMAC with SHA-256, a symmetric algorithm) and `RS256` (RSA with SHA-256, an asymmetric algorithm).

2. The Payload (Claims)

The second part of the token is the JWT Payload. This part is also a Base64Url-encoded JSON object and contains the "claims." Claims are statements about an entity (typically the user) and additional data. There are three types of claims:

• Registered Claims: These are a set of predefined claims recommended by the JWT standard to ensure interoperability. Common registered claims include:
  • `iss` (Issuer): The principal that issued the JWT.
  • `sub` (Subject): The principal that is the subject of the JWT (e.t., the user's ID).
  • `aud` (Audience): The recipient(s) that the JWT is intended for.
  • `exp` (Expiration Time): The time *after* which the JWT must not be accepted. It is a numeric value representing a Unix timestamp.
  • `nbf` (Not Before): The time *before* which the JWT must not be accepted.
  • `iat` (Issued At): The time at which the JWT was issued.
  • `jti` (JWT ID): A unique identifier for the token, often used to prevent replay attacks.
• Public Claims: These are claims that are defined by those using JWTs (like Google or Microsoft) and are typically registered in the IANA JSON Web Token Registry.
• These are custom claims created to share information between parties that agree on using them. For example, you might add {"role": "admin"} or {"username": "john.doe"} to your payload.

Our JWT claims viewer makes it easy to inspect all these claims at a glance.

3. The Signature

The third part of the token is the JWT Signature. It is created by taking the encoded header, the encoded payload, a secret key (or private key for asymmetric algorithms), and running them through the specified algorithm (`alg`).

The signature's purpose is to verify the token's authenticity. It ensures that the token was not altered in transit. If an attacker changes even a single character in the payload, the signature will no longer be valid. **This is why this tool does not and cannot validate the signature**—doing so would require the secret key, which should *never* be shared or pasted into an online tool.

How to Use This JWT Decoder Tool

1. Copy Your Token: Copy the full JWT string (all three parts) from your application, browser's local storage, or API response.
2. Paste the Token: Paste the token into the text area at the top of the page. You can also use the "Load Sample" button to see a valid token.
3. Click "Decode Token": The tool will instantly parse the token.
4. Inspect the Results: The Header and Payload will be displayed in two separate, clearly formatted JSON boxes below, allowing you to easily read all the claims and metadata.
5. Clear: Click the "Clear" button to start over.

Common Debugging Scenarios

A JWT decoder is primarily a debugging tool. Here are common issues you can solve with it:

• "Token Expired" Errors: Paste the token and check the `exp` claim. Compare this Unix timestamp to the current time to see if the token is indeed expired.
• Permission Denied: Decode the payload to check the `role`, `scopes`, or other custom claims to ensure the user has the correct permissions.
• User Not Found: Inspect the `sub` (subject) claim to make sure the correct user ID is being sent to your backend.
• Token Not Valid for this App: Check the `aud` (audience) and `iss` (issuer) claims to ensure they match what your server is expecting.

Related Developer Tools

Since JWTs are built on other web standards, you might find these tools useful in conjunction with our decoder:

• JSON Formatter: If your payload contains a nested, minified JSON string, you can copy it from the decoder and beautify it here.
• Base64 Decoder: The JWT header and payload are Base64Url-encoded. This tool can decode any Base64 string.
• Unix Timestamp Converter: Use this to convert the `exp` or `iat` claims into a human-readable date.