JWT Decoder
Paste a JSON Web Token to decode and inspect the header, payload claims, and signature. No data is sent to any server — decoding happens entirely in your browser.
Paste a complete JWT (with or without "Bearer " prefix). The token is decoded locally in your browser.
Example Tokens
How JWTs Work
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots.
Header
The header (JOSE Header) typically contains the signing algorithm (alg) and token type (typ). It may also include a key ID (kid) to identify which key was used.
Payload
The payload contains claims — statements about the user and metadata. Registered claims like sub (subject), exp (expiration), and iat (issued at) are standardized. Custom claims carry application-specific data like roles or permissions.
Signature
The signature ensures the token hasn't been tampered with. It's computed over the encoded header and payload using the algorithm specified in the header. Symmetric algorithms (HS256) use a shared secret; asymmetric algorithms (RS256, ES256) use a private key.
Registered JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | The principal that issued the JWT |
| sub | Subject | The principal that is the subject of the JWT |
| aud | Audience | The recipients that the JWT is intended for |
| exp | Expiration | The time after which the JWT must not be accepted (Unix timestamp) |
| nbf | Not Before | The time before which the JWT must not be accepted (Unix timestamp) |
| iat | Issued At | The time at which the JWT was issued (Unix timestamp) |
| jti | JWT ID | Unique identifier for the JWT, used to prevent replay attacks |