How to Decode JWT Tokens

Paste Your JWT Token

Copy your JSON Web Token and paste it into the input field. The JWT decoder automatically parses and decodes the Base64URL-encoded token instantly.

View Decoded Claims

Inspect the decoded JWT header and payload. View claims like iss, sub, exp, and iat in JSON or table format with human-readable timestamps.

Verify JWT Signature

Enter your secret key or public key to verify the token's signature. Supports HS256, HS384, HS512 (HMAC) algorithms for signature validation.

What is a JSON Web Token (JWT)?

header . payload . signature

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are commonly used for authentication, authorization, and information exchange in modern web applications, APIs, and single sign-on (SSO) systems.

header

Contains the token type and signing algorithm (e.g., HS256, RS256, ES256).

{"alg": "HS256", "typ": "JWT"}

payload

Contains claims: registered (iss, exp, sub), public, and private claims.

{"sub": "user123", "exp": 1699999999}

signature

Cryptographic signature that verifies the token hasn't been tampered with.

HMACSHA256(base64(header).base64(payload), secret)

Common JWT Use Cases

API Authentication

JWTs are the standard for securing REST APIs. After login, the server issues a JWT that the client includes in the Authorization: Bearer header for subsequent requests.

Single Sign-On (SSO)

JWTs enable seamless authentication across multiple applications. One login generates a token that works across all connected services in your organization.

Information Exchange

Securely transmit data between parties. The signature ensures the sender's identity and that the message wasn't altered in transit.

Mobile App Authentication

Stateless authentication ideal for mobile apps. No server-side sessions needed—the JWT contains all necessary user information.

Frequently Asked Questions

Is this JWT decoder safe to use with production tokens?

Yes, this JWT decoder is completely safe. All decoding and verification happens entirely in your browser using JavaScript. Your tokens and secret keys are never sent to any server. You can verify this by checking network requests in your browser's developer tools—no data leaves your device.

What's the difference between decoding and verifying a JWT?

Decoding simply converts the Base64URL-encoded header and payload back to readable JSON. Anyone can decode a JWT without a key. Verifying checks the cryptographic signature to ensure the token hasn't been tampered with and was issued by a trusted source. Verification requires the secret key (for HMAC) or public key (for RSA/ECDSA).

Which JWT signing algorithms are supported?

This tool can decode JWTs signed with any algorithm. For signature verification, we currently support HMAC algorithms (HS256, HS384, HS512) using the Web Crypto API. RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) verification support is planned.

Why does my JWT signature verification fail?

Common reasons include: 1) Wrong secret key—ensure you're using the exact same key that signed the token. 2) Wrong format—try toggling between UTF-8 and Base64 if your secret is Base64-encoded. 3) Algorithm mismatch—check the alg claim in the header matches your verification method. 4) Token was modified—any change to the header or payload invalidates the signature.

What do the standard JWT claims mean?

Registered claims defined in RFC 7519:

iss (issuer) – Who issued the token
sub (subject) – The user or entity the token represents
aud (audience) – Intended recipient of the token
exp (expiration) – Unix timestamp when the token expires
nbf (not before) – Token is not valid before this time
iat (issued at) – When the token was created
jti (JWT ID) – Unique identifier for the token