JWT Decoder
Decode JSON Web Tokens into header, payload, and signature. View claims, check expiration, and validate JWT structure.
Example JWTs
About JWT Tokens
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs consist of three Base64url-encoded parts separated by dots: Header, Payload, and Signature.
The header contains the signing algorithm (e.g., HS256, RS256) and token type. The payload contains claims -- statements about the user and metadata like expiration time (exp), issuer (iss), and subject (sub).
This tool decodes the token client-side and does not verify the signature, as that requires the secret key or public key. Always verify signatures server-side before trusting token claims.
How to Use This JWT Decoder
This tool decodes JSON Web Tokens instantly in your browser, letting you inspect the header, payload, and signature of any JWT without installing libraries or writing code. It is useful for debugging authentication flows, verifying token claims, and checking expiration times during development.
- Paste your JWT token into the input field. The token should be in the standard three-part format: header.payload.signature. You can copy it from browser DevTools, an API response, or your application logs.
- View the decoded header to see the signing algorithm (such as HS256, RS256, or ES256) and the token type. This tells you how the token was signed and what key type is needed for verification.
- Inspect the payload to read all claims including sub (subject/user ID), iss (issuer), aud (audience), iat (issued at), and exp (expiration). Custom claims added by your application are also displayed.
- Check the expiration — the tool converts Unix timestamps to human-readable dates and shows whether the token is currently valid or expired.
- Review the signature section. While this tool does not verify signatures (that requires the secret or public key), it shows the raw signature data for reference.
All decoding happens client-side. Your tokens never leave your browser, so it is safe to decode production tokens containing user data or authentication claims during debugging sessions.
Common Use Cases
- API authentication debugging — Decode access tokens and refresh tokens to verify they contain the correct scopes, roles, and user identifiers when troubleshooting 401/403 errors.
- OAuth token inspection — Examine ID tokens and access tokens from OAuth 2.0 / OpenID Connect providers to confirm issuer, audience, and claim values match your configuration.
- Web3 authentication — Inspect JWTs issued after Sign-In with Ethereum (SIWE) flows to verify the wallet address, chain ID, and session duration are correct.
- Token expiration verification — Quickly check whether a JWT has expired or is about to expire, which is essential when debugging token refresh logic or session timeout issues.
- Security auditing — Review token payloads to ensure sensitive information is not exposed and that tokens use strong signing algorithms like RS256 or ES256 instead of the weaker HS256 with short secrets.
Related Tools
Frequently Asked Questions
What is a JSON Web Token (JWT)?
A JSON Web Token is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header specifying the algorithm, a payload containing claims (like user ID and expiration), and a cryptographic signature that verifies the token has not been tampered with.
What is the difference between JWT and session cookies?
Session cookies store a session ID on the client while the actual session data lives on the server. JWTs are self-contained tokens that carry all the data in the payload, so the server does not need to look up a session store. JWTs are stateless and scale well across distributed systems, but they cannot be easily revoked before expiration.
What are the three parts of a JWT (header, payload, signature)?
The header declares the token type and signing algorithm (e.g., HS256 or RS256). The payload contains claims such as sub (subject), iat (issued at), exp (expiration), and any custom data. The signature is created by signing the encoded header and payload with a secret key or private key to ensure integrity.
How does JWT expiration work?
The exp claim in the payload is a Unix timestamp indicating when the token expires. Servers should reject tokens where the current time exceeds this value. The iat (issued at) and nbf (not before) claims provide additional time-based validation.
Is it secure to decode a JWT in the browser?
Decoding a JWT (reading the header and payload) is safe because these sections are only Base64URL-encoded, not encrypted. Anyone with the token can read its contents. Security comes from the signature, which prevents tampering. Never put sensitive secrets in the payload unless the token is also encrypted (JWE).
How are JWTs used in Web3 and decentralized applications?
In Web3, JWTs are often issued after a user proves wallet ownership through a message signature (Sign-In with Ethereum / EIP-4361). The JWT then serves as a session token for off-chain APIs, combining wallet-based authentication with traditional backend authorization.
Related Tools & Guides
Base64 Encoder / Decoder
Encode and decode Base64 strings online. Supports text and hex input with URL-safe Base64 option for Ethereum development.
JSON Formatter / Validator
Format, minify, and validate JSON data online. Pretty-print with configurable indentation and see detailed error positions for invalid JSON.
Try Also
Image to Base64 Converter
Convert images to Base64 encoded strings online. Drag and drop PNG, JPG, GIF, SVG, or WebP files to get Data URIs for HTML, CSS, and JSON.
JSON to CSV Converter
Convert JSON arrays to CSV and CSV to JSON online. Supports custom delimiters, proper escaping, nested objects, and file download.
URL Encoder / Decoder
Encode and decode URL components online. Compare encodeURIComponent vs encodeURI with a common URL encodings reference table.