π JWT Decoder
Decode and inspect JSON Web Tokens. Header and payload are decoded β signature is not verified. Runs entirely in your browser.
What is a JWT (JSON Web Token) and How Does JWT Authentication Work?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519 for securely transmitting claims between two parties. JWTs are the standard authentication mechanism for modern web applications, single-page apps (SPAs), mobile apps, and microservice architectures. They're used by OAuth 2.0, OpenID Connect, and countless API authentication systems.
Understanding the Three Parts of a JWT Token
- Header β Contains the token type (
"typ": "JWT") and the signing algorithm ("alg": "HS256","RS256", etc.). Decoded from the first Base64URL segment. - Payload β Contains the claims β the actual data. Standard claims include
sub(subject/user ID),iss(issuer),exp(expiration time),iat(issued at), andaud(audience). Custom claims can contain any application-specific data. - Signature β Created by signing the header and payload with a secret key (HMAC) or private key (RSA/ECDSA). This tool does not verify signatures β it only decodes the header and payload.
Common Debugging Scenarios for JWT Tokens
- Checking if a token has expired β Compare the
expclaim against the current time to diagnose 401 Unauthorized errors - Inspecting user roles and permissions β View custom claims like
role,scope, orpermissionsembedded in the payload - Debugging OAuth 2.0 access tokens β Inspect tokens from providers like Auth0, Okta, Azure AD, AWS Cognito, or Firebase
- Verifying token issuer and audience β Ensure
issandaudclaims match your expected values - Understanding token structure for API integration β See exactly what data is included in access tokens and ID tokens
Is It Safe to Paste JWT Tokens Into an Online Decoder?
With this tool, yes. This JWT decoder runs 100% in your browser using client-side JavaScript. No token data is ever transmitted to any server. You can verify this by opening your browser's Network tab (F12 β Network) while decoding a token β you'll see zero outgoing requests. For production environments, you can also use atob() in your browser console for quick decoding.
JWT Security Best Practices
- Always set an expiration time (
exp) β never issue tokens that last forever - Use RS256 (asymmetric) instead of HS256 (symmetric) for public-facing APIs
- Store tokens in HttpOnly cookies instead of localStorage to prevent XSS attacks
- Never store sensitive data (passwords, credit cards) in JWT payloads β they are Base64-encoded, not encrypted
- Implement token refresh rotation to limit the window of a stolen token