EN
PT
ES
JWT Decoder
Inspect a JSON Web Token's header and payload. Verification is intentionally not performed — this is for debugging only.
What is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe way of carrying signed JSON between parties — most commonly an authentication server and your app. A JWT has three base64url-encoded parts joined by dots: header.payload.signature. The header says which signing algorithm was used; the payload is a JSON object with claims (subject, expiry, custom data); the signature lets the receiver verify that the token wasn't tampered with. The standard is defined in RFC 7519.
How to use this decoder
Paste a JWT into the input above. The tool splits on the dots, base64url-decodes the first two segments, and pretty-prints the resulting JSON in two panels — Header and Payload. The third panel shows the raw signature string. If the payload contains iat, nbf or exp claims, the tool also displays them as readable UTC timestamps and tells you whether the token has expired. Decoding is live: as soon as you finish typing, the panels update.
Decoded ≠ verified
A JWT decoder is a debugging aid, not a security tool. Anyone can decode a JWT — the encoding is reversible by design. The signature is what makes the token trustworthy, and verifying a signature requires the issuer's secret (HS256) or public key (RS256, ES256). Never trust a JWT's contents in production code without verifying its signature first. Use the JWT library that ships with your framework to do this; never roll your own.
Standard JWT claims
| Claim | Name | Meaning |
|---|---|---|
iss | Issuer | Identifies the entity that issued the token (e.g. an auth server URL). |
sub | Subject | Identifies the principal the token is about — usually a user ID. |
aud | Audience | The recipients the token is intended for. Receivers must reject tokens not addressed to them. |
exp | Expiration time | Unix timestamp after which the token must not be accepted. |
nbf | Not before | Unix timestamp before which the token must not be accepted. |
iat | Issued at | Unix timestamp at which the token was issued. |
jti | JWT ID | Unique identifier for the token, useful for revocation lists. |
Frequently asked questions
Is my JWT sent anywhere?
Why doesn't this tool verify the signature?
jwt to verify signatures in a controlled environment.I get "Not a JWT" — what's wrong?
Bearer prefix copied from an HTTP header (strip it), only the payload was pasted (you need the header and signature too), or the token is actually a JWE (encrypted) which has five segments and isn't decodable without the recipient's private key.Why is the payload base64url and not regular base64?
+, / and = padding — none of which are URL-safe. Base64url replaces + with -, / with _, and drops the padding entirely. The result can be embedded in a URL or HTTP header without further escaping. This decoder converts back to standard base64 before calling the browser's atob.What does alg: none mean?
alg: none exists in the spec but is dangerous in practice: a famous class of vulnerabilities exploited libraries that accepted alg: none tokens as if they were signed. If you see this in a production token, treat it as a serious finding.