JWT Decoder & Inspector
Decode, inspect, and verify JSON Web Tokens. Check expiration, view claims with explanations, verify signatures. All client-side.
What is a JWT Token?
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication, authorization, and information exchange in web applications and APIs. They are self-contained, meaning the token itself carries all the information needed to verify the identity and claims of the bearer.
JWTs are widely used in modern web development with OAuth 2.0, OpenID Connect, and API authentication. Services like Auth0, Firebase, AWS Cognito, and Supabase all use JWTs for session management and authorization.
JWT Structure Explained
A JWT consists of three parts separated by dots (xxxxx.yyyyy.zzzzz):
1. Header
Contains metadata about the token: the signing algorithm (e.g., HS256, RS256) and the token type (typically "JWT"). The header is Base64url-encoded JSON.
2. Payload
Contains the claims — statements about the user and additional metadata. Claims can be registered (standard), public, or private. The payload is Base64url-encoded JSON. Note: The payload is encoded, not encrypted— anyone can decode and read it.
3. Signature
Created by signing the encoded header and payload with a secret key (HMAC) or a private key (RSA/ECDSA). The signature verifies that the token has not been tampered with and, in the case of asymmetric algorithms, authenticates the sender.
Common JWT Claims
| Claim | Full Name | Description |
|---|---|---|
iss | Issuer | Entity that issued the token |
sub | Subject | Entity the token represents (usually user ID) |
aud | Audience | Intended recipients of the token |
exp | Expiration Time | Unix timestamp when the token expires |
nbf | Not Before | Token is not valid before this unix timestamp |
iat | Issued At | Unix timestamp when the token was created |
jti | JWT ID | Unique identifier to prevent token replay |
FAQ
Is this tool secure? Is my JWT token sent to a server?
Yes, it is completely secure. All decoding and verification happens in your browser using JavaScript and the Web Crypto API. No data is sent to any server. Your JWT tokens never leave your device. You can verify this by checking the network tab in your browser's developer tools.
Can this tool verify JWT signatures?
Yes. This tool supports client-side signature verification for HMAC-based algorithms (HS256, HS384, HS512) using the Web Crypto API. Simply enter your secret key and click Verify. Asymmetric algorithms (RS256, ES256, etc.) require a public key and are typically verified server-side.
What is the difference between HS256 and RS256?
HS256 (HMAC-SHA256) is a symmetric algorithm — the same secret key is used to both sign and verify the token. RS256 (RSA-SHA256) is an asymmetric algorithm — a private key signs the token and a separate public key verifies it. RS256 is preferred for distributed systems where verifiers should not have access to the signing key.
Why should I never trust JWT claims without verification?
JWT payloads are only Base64-encoded, not encrypted. Anyone can decode and read them. The signature ensures integrity — without verifying it, an attacker could modify the payload (e.g., change roles, extend expiration) and the application would have no way to detect the tampering.
What happens when a JWT expires?
When the current time exceeds the exp (Expiration Time) claim, the token is considered expired. Well-implemented servers will reject expired tokens and require the client to obtain a new one, typically through a refresh token flow. This limits the damage if a token is compromised.
Related Tools
Format, validate, and beautify JSON with tree view and TypeScript type generation.
Test regular expressions with real-time matching, capture groups, and code snippets.
Generate UUID v4, v7, ULID, and Nano ID with bulk generation and format options.
Encode and decode text, images, and files to Base64 with real-time conversion.