JWT Decoder — Free 2026
Paste a JSON Web Token to instantly view its header, payload, signature, and expiration status. Everything runs locally in your browser.
—
—
How It Works
- Paste your JWT
- View decoded sections
- Check expiration
Understanding JSON Web Tokens
JSON Web Tokens (JWTs) are one of the most widely used standards for authentication and information exchange on the modern web. Defined in RFC 7519, a JWT is a compact, self-contained token that encodes a set of claims as a JSON object. The token is digitally signed (and optionally encrypted), which allows the recipient to verify its authenticity without making a database lookup or network call. This stateless nature makes JWTs ideal for distributed systems, microservices architectures, and single-page applications.
A JWT consists of three parts separated by dots (.): the header, the payload, and the signature. Each part is Base64URL-encoded. The header typically contains two fields: alg (the signing algorithm, such as HS256 or RS256) and typ (the token type, always "JWT"). The payload contains claims — key-value pairs that carry the token's data. The signature is created by signing the encoded header and payload with a secret key or private key, ensuring the token has not been tampered with.
Registered Claims
The JWT specification defines several registered claims that have standardized meanings. The most important ones are iss (issuer — who created the token), sub (subject — who the token is about), aud (audience — who the token is intended for), exp (expiration time), nbf (not before — when the token becomes valid), iat (issued at), and jti (JWT ID — a unique identifier for the token). The exp and iat claims are Unix timestamps, which this tool automatically converts to human-readable dates.
Security Considerations
While JWTs are signed, they are not encrypted by default. Anyone with access to the token can read the payload simply by Base64-decoding it — exactly what this tool does. For this reason, never store sensitive information (passwords, credit card numbers, personal data) in a JWT payload unless the token is also encrypted (JWE). Always validate tokens on the server side: check the signature, verify the expiration, confirm the issuer and audience, and reject tokens with unexpected algorithms (to prevent algorithm confusion attacks).
For working with the raw JSON data inside tokens, our JSON formatter can help you prettify and validate JSON structures. If you need to encode or decode the Base64 segments manually, try our Base64 encoder/decoder.
Common JWT Patterns
The most common JWT workflow is authentication. After a user logs in, the server creates a JWT containing the user's ID and permissions, signs it, and sends it to the client. The client includes this token in the Authorization header of subsequent API requests. The server verifies the token's signature and reads the claims without needing to query a session store. This approach scales horizontally because any server instance can verify the token independently.
Short-lived access tokens (5-15 minutes) paired with longer-lived refresh tokens are a best practice. When the access token expires, the client uses the refresh token to obtain a new one. This limits the window of opportunity if an access token is compromised. Always store tokens securely: in HTTP-only cookies for web applications (which prevents JavaScript access and mitigates XSS attacks) or in secure storage on mobile devices.
Comments