JWT Decoder
Paste a JSON Web Token to decode the header and payload instantly. All decoding happens in your browser — nothing is sent to a server.
Signature verification requires the secret or public key and is not performed here. This tool only decodes the header and payload.
JWT reference
A JSON Web Token (JWT) is a compact, URL-safe string with three Base64url-encoded parts
separated by dots: header.payload.signature.
Structure
| Part | Contents | Example fields |
|---|---|---|
| Header | Algorithm & token type | alg, typ, kid |
| Payload | Claims (statements about the subject) | sub, iss, exp, iat, aud |
| Signature | Integrity check — prevents tampering | HMAC-SHA256 or RSA/ECDSA of header + payload |
Registered claim names
iss- Issuer — who created the token (e.g. your auth server URL).
sub- Subject — who the token is about, usually a user ID.
aud- Audience — intended recipient(s) of the token.
exp- Expiration time — Unix timestamp after which the token must be rejected.
nbf- Not before — Unix timestamp before which the token must not be accepted.
iat- Issued at — Unix timestamp when the token was created.
jti- JWT ID — unique identifier for the token, used to prevent replay attacks.
Common algorithms
| alg value | Algorithm | Key type |
|---|---|---|
HS256 | HMAC-SHA256 | Shared secret |
HS384 | HMAC-SHA384 | Shared secret |
HS512 | HMAC-SHA512 | Shared secret |
RS256 | RSA-SHA256 | RSA key pair |
RS384 | RSA-SHA384 | RSA key pair |
RS512 | RSA-SHA512 | RSA key pair |
ES256 | ECDSA with P-256 and SHA-256 | EC key pair |
ES384 | ECDSA with P-384 and SHA-384 | EC key pair |
ES512 | ECDSA with P-521 and SHA-512 | EC key pair |
none | No signature (unsecured JWT) | — |
Security note: Decoding a JWT does not verify its signature. Always validate the signature server-side using the issuer's public key or shared secret before trusting any claims in a JWT.