JWT Decoder & Encoder

Debugging authentication flows, inspecting API tokens, or verifying claims in a JSON Web Token requires decoding its Base64URL-encoded parts. This free tool instantly decodes the header and payload of any JWT, checks expiration status, and lets you build new tokens — all entirely in your browser. Your tokens never leave your machine.


        

        

          

            
            

              
            

          

          

        

      


      
      

      

      
      

        
How to Use This Tool

        
    
          
  1. Paste your JWT into the input field above. The token should have three parts separated by dots (header.payload.signature).
    2. 
          
  2. View decoded data — the header and payload are decoded and displayed automatically in real time as formatted JSON.
    3. 
          
  3. Check token status — the status bar shows whether the token is valid, expired, or not yet active based on the exp and nbf claims.
    4. 
          
  4. Inspect claims — the claims table below the output explains each standard claim with human-readable timestamps and descriptions.
    5. 
          
  5. Copy the output — click "Copy" on the header or payload panel to copy the decoded JSON to your clipboard.
    6. 
        

      

      
      

        
What Is a JSON Web Token (JWT)?

        
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe format for securely transmitting information between parties as a JSON object. JWTs are the backbone of modern authentication and authorization systems, used by OAuth 2.0, OpenID Connect, and countless APIs to pass identity information and access permissions without requiring server-side session storage. A JWT consists of three Base64URL-encoded segments separated by dots: the header, the payload, and the signature.

        
The header typically contains two fields: the signing algorithm (such as HS256 or RS256) and the token type (usually "JWT"). The payload carries the claims — pieces of information about the user or session, such as a user ID, email address, roles, and expiration time. Standard claims like iss (issuer), sub (subject), exp (expiration), and iat (issued at) are defined by the JWT specification, but applications can add any custom claims they need.

        
The signature is created by combining the encoded header and payload with a secret key (for HMAC algorithms) or a private key (for RSA or ECDSA). This signature allows the receiving party to verify that the token has not been tampered with. It is important to understand that the header and payload of a standard JWT (JWS) are encoded, not encrypted — anyone with the token can decode and read the claims. This is why sensitive information should never be stored in a JWT payload, and why you should always use HTTPS when transmitting tokens.

      


      
      

        
Frequently Asked Questions

        

          What is a JWT token?
          
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims such as user ID, roles, and expiration time), and a signature that verifies the token has not been tampered with.

        

        

          Is it safe to decode JWT tokens online?
          
It depends on the tool. This tool runs entirely in your browser — your token is never sent to any server, so it is safe to use with real tokens. Many other online JWT decoders send your token to a backend for processing, which could expose sensitive claims like user IDs, roles, and email addresses. Always check whether a tool processes data client-side before pasting production tokens.

        

        

          Can I verify a JWT signature with this tool?
          
This tool decodes and displays the header and payload of a JWT, and it checks whether the token has expired based on the exp claim. However, verifying the cryptographic signature requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA), which should never be pasted into a web tool. Signature verification should be performed server-side in your application.

        

        

          What are common JWT claims?
          
Standard JWT claims include: iss (issuer — who created the token), sub (subject — who the token is about), aud (audience — who the token is intended for), exp (expiration time as a Unix timestamp), nbf (not before — token is not valid before this time), iat (issued at — when the token was created), and jti (JWT ID — a unique identifier for the token). Applications can also define custom claims for roles, permissions, and other user data.

        

        

          What is the difference between JWS and JWE?
          
JWS (JSON Web Signature) is the most common JWT format — the payload is Base64URL-encoded and readable by anyone, but the signature prevents tampering. JWE (JSON Web Encryption) encrypts the payload so that only the intended recipient can read it. Most tokens you encounter in web applications are JWS tokens. This tool decodes JWS tokens; JWE tokens require a decryption key and cannot be decoded client-side without it.

        

      

      

        
          Guide: How to Decode JWT Tokens →
        
      

      

        
          Guide: JWT vs Session Authentication →
        
      


      
      

        
        

          
            

              
              
Base64 Encoder / Decoder

              
Encode and decode Base64 strings instantly in your browser.

            

          
          
            

              
              
JSON Formatter & Validator

              
Format, validate and minify JSON instantly in your browser.

            

          
          
            

              
              
Hash Generator

              
Generate MD5, SHA-1, SHA-256 and SHA-512 hashes from any text.