🔐 JWT Inspector

JWT Token
Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, claims, and check expiration instantly.

🔍 Instant Decoding
⏰ Expiration Check
🔒 Client-Side Only

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts separated by dots: Header.Payload.Signature

Header: Contains token type (JWT) and signing algorithm (e.g., HS256, RS256)
Payload: Contains the claims (user data, permissions, expiration, etc.)
Signature: Verifies the token hasn't been tampered with

What is a JSON Web Token (JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in modern web applications and APIs.

JWT Structure

A JWT consists of three parts separated by dots (.):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header- Algorithm and token type
Payload- Claims and user data
Signature- Verification signature

Common JWT Use Cases

  • Authentication: Users log in and receive a JWT to access protected resources
  • Authorization: Verify user permissions and access levels
  • Information Exchange: Securely transmit information between parties
  • Single Sign-On (SSO): Share authentication across multiple applications
  • API Security: Secure REST APIs and microservices

JWT Claims Explained

The payload contains claims, which are statements about an entity (typically the user) and additional data. There are three types of claims: registered, public, and private.

Registered Claims

iss - Issuer
sub - Subject
aud - Audience
exp - Expiration Time
nbf - Not Before
iat - Issued At
jti - JWT ID

Custom Claims

You can define your own custom claims to transmit information between parties.

name - User name
email - Email address
role - User role
permissions - Access rights

JWT Signing Algorithms

HMAC (HS256, HS384, HS512)

Symmetric algorithm using a shared secret key. Fast and simple.

RSA (RS256, RS384, RS512)

Asymmetric algorithm using public/private key pairs. More secure.

ECDSA (ES256, ES384, ES512)

Asymmetric with elliptic curve cryptography. Smaller keys, faster.

Why Use Our JWT Decoder?

🔒 Privacy First

All decoding happens in your browser. Your tokens never leave your device or touch our servers.

⚡ Instant Decoding

Decode JWTs in milliseconds. No waiting, no loading, just instant results.

⏰ Expiration Check

Automatically detects and warns if tokens are expired based on the exp claim.

📋 Easy Copy

Copy header, payload, or signature individually with one click.

Important Security Notes

  • ⚠️JWTs are not encrypted: The payload is only Base64-encoded and can be decoded by anyone. Never store sensitive data in JWTs.
  • ⚠️This tool does NOT verify signatures: Signature verification requires the secret key or public key. Use server-side libraries for verification.
  • ⚠️Always validate tokens server-side: Never trust JWTs from clients without proper verification.
  • ⚠️Use HTTPS: Always transmit JWTs over secure connections to prevent interception.

Frequently Asked Questions

Is JWT decoding the same as JWT verification?

No. Decoding simply reads the contents of a JWT. Verification checks that the signature is valid using the secret key or public key. This tool only decodes - it does not verify signatures.

Can anyone decode my JWT?

Yes. JWTs are Base64-encoded, not encrypted. Anyone with access to the token can decode and read the header and payload. This is why you should never store sensitive information in JWTs.

What does "Bearer" mean in JWT?

"Bearer" is an authentication scheme that indicates the requester has a token that grants access. You'll often see JWTs sent as Authorization: Bearer <token>in HTTP headers. Our tool automatically strips the "Bearer" prefix.

How do I verify a JWT signature?

Signature verification must be done server-side using a JWT library (like jsonwebtoken for Node.js, PyJWT for Python, etc.) with the secret key or public key. You cannot verify signatures without the key.