JWT Decoder

Decode and inspect JWT tokens safely in your browser

Security Note: Never decode production tokens containing sensitive data on untrusted websites. This tool runs 100% in your browser with no server transmission.

JWT Token Input

Header

Header will appear here...

Payload

Payload will appear here...

Signature

About JWT Decoder & Technical Guide

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs are most commonly used for Authentication and Information Exchange. Once a user logs in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

The Three Parts of a JWT

A JWT typically consists of three parts separated by dots (.):

  • Header: Usually consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
  • Payload: Contains the "claims." Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
  • Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Understanding Common JWT Claims

sub: Subject - The unique identifier for the user or entity the token represents.
iat: Issued At - The Unix timestamp when the token was generated.
exp: Expiration Time - The exact second the token becomes invalid.
iss: Issuer - The authority that signed and provided the token.

Why Decode JWTs Locally?

JWTs often contain sensitive user Information (PII) or internal system scopes. Sending a production JWT to a third-party server for "decoding" exposes your user's data and your system's metadata to potential logging or security breaches. Our JWT Decoder processes everything in your browser's memory, ensuring your secrets stay on your machine.

🔒 Privacy Commitment

Like all tools in the Dev Tool Kit, this JWT Decoder operates 100% client-side. Your data is processed locally in your browser and is never sent to our servers. Privacy is not just a feature; it's our core architecture.

Related Resources

📚 Learn More

Complete Encoding & Decoding Guide

🛠️ Related Tools

Browse all developer tools →