JWT Decoder
Decode and inspect any JSON Web Token (JWT). Reveals header, payload, and expiry status. Runs entirely in your browser — no token is sent to any server.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (claims — data about the user or session), and a signature (used to verify the token was not tampered with). The format is xxxxx.yyyyy.zzzzz.
JWTs are widely used for authentication and authorization in web APIs, OAuth 2.0 access tokens, OpenID Connect ID tokens, and stateless session management. After a user logs in, the server issues a JWT; the client sends it with each request in the Authorization: Bearer <token> header; the server verifies the signature to trust the claims without querying a database.
JWT structure
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
■ Header·■ Payload·■ Signature
Registered JWT claims (RFC 7519)
| Claim | Name | Type | Description |
|---|---|---|---|
| iss | Issuer | string | Identifies who issued the JWT — usually a domain or auth server URL |
| sub | Subject | string | Identifies the principal — typically a user ID |
| aud | Audience | string / array | Intended recipients; the server should reject tokens not meant for it |
| exp | Expiration Time | number (Unix) | Token must be rejected after this time |
| nbf | Not Before | number (Unix) | Token must be rejected before this time |
| iat | Issued At | number (Unix) | When the token was issued; used to determine token age |
| jti | JWT ID | string | Unique identifier; can prevent replay attacks |
Common JWT signing algorithms
| Algorithm | Type | Key | Use case |
|---|---|---|---|
| HS256 | HMAC | Shared secret | Simple services where server signs and verifies |
| HS384 / HS512 | HMAC | Shared secret | Higher security HMAC variants |
| RS256 | RSA | Public/private key pair | Microservices — public key distributed for verification |
| RS384 / RS512 | RSA | Public/private key pair | Higher security RSA variants |
| ES256 | ECDSA | EC key pair | Smaller signatures than RSA; used in mobile/IoT |
| PS256 | RSA-PSS | Public/private key pair | RSA with probabilistic signing; more secure than RS256 |
| none | None | No key | Unsigned token — dangerous, should be rejected by servers |
Security considerations
Payloads are not encrypted. The header and payload are only Base64url-encoded — anyone can decode them. Do not store passwords, payment data, or other sensitive information in a JWT payload unless you use JSON Web Encryption (JWE, RFC 7516).
Always verify the signature server-side. A decoded payload cannot be trusted until the signature is verified with the correct key. This tool decodes without verification — use it only for inspection, never as a security check.
Check expiry. A valid signature does not mean the token is current. Always check the exp claim against the current time.
Reject the "none" algorithm. The JWT spec allows an unsigned "none" algorithm. Any JWT library that accepts alg: none without an explicit allowlist is vulnerable to algorithm confusion attacks.
Frequently asked questions
How do I decode a JWT without the secret key?▾
The header and payload of a JWT are only Base64url-encoded, not encrypted or signed in a way that prevents decoding. You can decode them without the secret by Base64url-decoding each segment. This tool does exactly that — it reveals the claims inside any JWT without needing the secret. Only signature verification requires the secret key.
What is the difference between JWT authentication and session authentication?▾
Session authentication stores session data server-side (in a database or memory) and gives the client a session ID cookie. JWT authentication is stateless — all claims are embedded in the token itself, signed by the server. JWTs do not require a database lookup on each request, making them better for distributed systems, but they cannot be invalidated before expiry without a token blocklist.
What is a Bearer token?▾
Bearer token is an HTTP authentication scheme defined in RFC 6750. The client sends the token in the Authorization header: Authorization: Bearer <token>. JWTs are the most common form of Bearer token in modern APIs. 'Bearer' means whoever holds the token can use it — protect tokens in transit with HTTPS.
How do I check if a JWT is expired?▾
Decode the payload and read the exp claim — it is a Unix timestamp (seconds since epoch). Compare it with the current time. This tool does this automatically and shows a banner indicating whether the token is expired. Programmatically: Date.now() / 1000 > payload.exp.
What is the difference between OAuth 2.0 and JWT?▾
OAuth 2.0 is an authorization framework — a protocol for delegating access. JWT is a token format. OAuth 2.0 access tokens are often JWTs, but they don't have to be. OpenID Connect (OIDC) extends OAuth 2.0 and defines the ID token, which is always a JWT containing user identity claims.
Can I use a JWT to store session data?▾
Yes, but only stateless data that does not change often. Because a JWT cannot be invalidated before expiry (without a blocklist), avoid storing data that changes frequently (like user roles that might be revoked). Keep JWT payloads small — they are included in every request header.
Related Tools
If jsondecode.com saved you time, share it with your team
Free forever. No ads. No sign-up. Help other developers find it.