JWT Decoder
Decode and inspect JSON Web Tokens instantly in your browser
Quick Guide
- Paste a JWT (three dot-separated Base64URL parts)
- Header and payload are decoded and pretty-printed
- Expiry (
exp) is shown as a human-readable date if present - The signature is displayed raw — it is not verified
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token used to securely transmit claims between parties. It consists of three Base64URL-encoded parts separated by dots:
header
.
payload
.
signature
The Three Parts
- Header — specifies the token type (
JWT) and signing algorithm (e.g.HS256,RS256) - Payload — contains claims: user ID, roles, expiry (
exp), issued-at (iat), etc. - Signature — verifies the token hasn't been tampered with (requires the secret key)
Is a JWT Encrypted?
No — standard JWTs (JWS) are signed but not encrypted. The header and payload are just Base64URL-encoded and can be decoded by anyone. Never store sensitive data in a JWT payload unless you use JWE (JSON Web Encryption).