JWT Decoder & Inspector
Signature verification requires the secret key and is not performed client-side.
What is a JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. A JWT consists of three base64url-encoded parts separated by dots: a header that specifies the algorithm used, a payload that contains claims (statements about an entity), and a signature used to verify the token's integrity. JWTs are widely used for authentication and authorization in web applications and APIs.
How JWT Decoding Works
The header and payload of a JWT are simply base64url-encoded JSON — no secret key is needed to decode them. Anyone who has the token can read its contents, which is why sensitive data should never be stored in a JWT payload without additional encryption. The signature, however, requires the original secret key (or private key for asymmetric algorithms) to verify. This tool decodes only — it does not verify signatures.
Common JWT Claims
| Claim | Full Name | Description |
|---|---|---|
| sub | Subject | Identifies the principal (user) the token refers to |
| iss | Issuer | Identifies who issued the token |
| aud | Audience | Identifies the recipients the token is intended for |
| exp | Expiration Time | Unix timestamp after which the token must not be accepted |
| iat | Issued At | Unix timestamp when the token was issued |
| nbf | Not Before | Unix timestamp before which the token must not be accepted |
| jti | JWT ID | Unique identifier for the token to prevent replay attacks |