JWT Token Decoder
Decode and inspect JSON Web Tokens instantly. View the header, payload, and signature with color-coded output. 100% client-side — no data leaves your browser.
Paste Your JWT Token
Enter a JSON Web Token below to decode its header, payload, and signature. Supports HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, and PS256 algorithms.
Standard JWT Claims Reference
JSON Web Tokens use registered claim names defined in RFC 7519. These claims are not mandatory but provide a standardized set of useful, interoperable fields.
| Claim | Full Name | Description |
|---|---|---|
| iss | Issuer | Identifies the principal that issued the JWT. Typically a URL or string identifying the auth server. |
| sub | Subject | Identifies the subject of the JWT. Usually the user ID or unique identifier for the authenticated entity. |
| aud | Audience | Identifies the recipients the JWT is intended for. Can be a string or array of strings (e.g., API endpoints). |
| exp | Expiration Time | The time after which the JWT must not be accepted. Value is a Unix timestamp (seconds since epoch). |
| nbf | Not Before | The time before which the JWT must not be accepted. Useful for tokens that activate in the future. |
| iat | Issued At | The time at which the JWT was issued. Used to determine the age of the token. |
| jti | JWT ID | A unique identifier for the JWT. Used to prevent replay attacks by ensuring a token is only used once. |
| name | Full Name | End-user's full name (OpenID Connect standard claim). |
| End-user's email address (OpenID Connect standard claim). | ||
| roles | Roles | Common custom claim for role-based access control (RBAC). Not part of the JWT spec but widely used. |
| scope | Scope | OAuth 2.0 scope values. Defines the permissions granted by the token. |
What is a JSON Web Token (JWT)?
JWT Structure
A JSON Web Token consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims and data), and the Signature (cryptographic verification). The format is header.payload.signature.
Authentication & Authorization
JWTs are the industry standard for stateless authentication in modern web applications. After login, the server issues a signed JWT that the client sends with each request. The server verifies the signature without needing a database lookup, enabling horizontal scaling.
Signing Algorithms
JWTs support symmetric (HMAC with SHA-256/384/512) and asymmetric (RSA, ECDSA) algorithms. HS256 uses a shared secret, while RS256 uses a public/private key pair, allowing anyone to verify without the signing key.
Security Best Practices
Always validate the signature before trusting a JWT's claims. Check the exp claim for expiration, iss for the expected issuer, and aud for the intended audience. Never store sensitive data in the payload — it's only encoded, not encrypted.
OAuth 2.0 & OpenID Connect
JWTs are central to OAuth 2.0 access tokens and OpenID Connect ID tokens. OIDC ID tokens carry user identity claims like sub, email, and name, enabling single sign-on (SSO) across applications.
Why Decode JWTs?
Decoding JWTs helps developers debug authentication flows, verify token contents, check expiration times, and understand what claims are being sent. This decoder runs entirely in your browser, so your tokens remain private and secure.
Common Use Cases
Debug Auth Issues
Quickly inspect JWT tokens to troubleshoot login failures, expired sessions, missing claims, and incorrect audience values in your API authentication flow.
Check Token Expiration
Instantly see whether a JWT is still valid or expired. The decoder converts Unix timestamps to human-readable dates and shows the remaining time or time since expiry.
API Development
Verify that your API is issuing tokens with the correct claims, scopes, and algorithms. Essential during development and integration testing of OAuth and OIDC flows.