JWT Decoder
Decode and inspect any JSON Web Token (JWT). Reveals header, payload, and expiry status. Runs entirely in your browser — no token is sent to any server.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (claims — data about the user or session), and a signature (used to verify the token was not tampered with).
JWTs are widely used for authentication and authorization in web APIs. After a user logs in, the server issues a JWT; the client sends it with each request; the server verifies the signature to trust the claims without querying a database.
Security note: The header and payload of a JWT are only Base64url-encoded, not encrypted. Do not store sensitive information (passwords, payment data) in the payload unless the JWT is also encrypted (JWE).