JWT Decoder

Paste a JWT and see exactly what's inside. We decode and explain — never validate against a key, never send your token anywhere.

JWT Token

Token Segments

Header

Payload

Standard Claims (Explained)

Signature

Signature verification requires the issuer's secret or public key, which we never have. This tool decodes only — a decoded JWT proves nothing about authenticity.

What is a JWT?

JWT in 30 seconds

A JSON Web Token is a compact, URL-safe way to carry signed claims between two parties — typically as proof of identity ("this user is logged in"). It looks like three Base64URL strings separated by dots:

HEADER . PAYLOAD . SIGNATURE

Header — the algorithm and token type.
Payload — the claims (who, when, what).
Signature — proves the token wasn't tampered with, signed using a secret only the issuer has.

Standard claims (RFC 7519)

iss — issuer (who created it)
sub — subject (who it's about, often a user ID)
aud — audience (who it's intended for)
exp — expiration (Unix timestamp; reject if past)
nbf — not before (Unix timestamp; reject if future)
iat — issued at (Unix timestamp)
jti — JWT ID (unique identifier for the token)

Security warnings

JWTs are not encrypted. The payload is just Base64. Don't put secrets in there.
Decoded ≠ verified. Anyone can change the payload and re-Base64 it. Only the signature check proves it wasn't tampered with — and that needs the issuer's key.
Algorithm "none" is a famous attack. Some libraries accept alg: "none" tokens as valid. Don't.