JWT Decoder

Paste a JSON Web Token to decode the header and payload instantly. All decoding happens in your browser — nothing is sent to a server.

Samples

JWT reference

A JSON Web Token (JWT) is a compact, URL-safe string with three Base64url-encoded parts separated by dots: header.payload.signature.

Structure

Part Contents Example fields
HeaderAlgorithm & token typealg, typ, kid
PayloadClaims (statements about the subject)sub, iss, exp, iat, aud
SignatureIntegrity check — prevents tamperingHMAC-SHA256 or RSA/ECDSA of header + payload

Registered claim names

iss
Issuer — who created the token (e.g. your auth server URL).
sub
Subject — who the token is about, usually a user ID.
aud
Audience — intended recipient(s) of the token.
exp
Expiration time — Unix timestamp after which the token must be rejected.
nbf
Not before — Unix timestamp before which the token must not be accepted.
iat
Issued at — Unix timestamp when the token was created.
jti
JWT ID — unique identifier for the token, used to prevent replay attacks.

Common algorithms

alg valueAlgorithmKey type
HS256HMAC-SHA256Shared secret
HS384HMAC-SHA384Shared secret
HS512HMAC-SHA512Shared secret
RS256RSA-SHA256RSA key pair
RS384RSA-SHA384RSA key pair
RS512RSA-SHA512RSA key pair
ES256ECDSA with P-256 and SHA-256EC key pair
ES384ECDSA with P-384 and SHA-384EC key pair
ES512ECDSA with P-521 and SHA-512EC key pair
noneNo signature (unsecured JWT)

Security note: Decoding a JWT does not verify its signature. Always validate the signature server-side using the issuer's public key or shared secret before trusting any claims in a JWT.