JWT Decoder

A JWT is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: header (algorithm and type), payload (claims and data), and signature (verification hash). JWTs are widely used in OAuth2, API authentication, and single sign-on systems.

The decoder displays the header (algorithm, token type, key ID), all payload claims (issuer, subject, audience, expiration, issued-at, custom claims), and the signature. Timestamps are converted to human-readable dates. It also checks if the token is expired based on the exp claim.

The decoder displays and parses the token structure but does not verify the cryptographic signature, as that requires the signing secret or public key. It is a debugging and inspection tool — for signature verification in production, use your server-side JWT library with the appropriate key.

The tool runs entirely in your browser — no data is sent to any server. However, JWTs may contain sensitive information (user IDs, roles, email). Never share JWTs in public forums or paste production tokens into online tools you do not trust. This tool is safe as all processing is client-side.

Standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (unique token ID). Custom claims can contain any JSON data the application needs, such as user roles, permissions, or organization IDs.