JWT Decoder Online
Decode and inspect JWT tokens instantly. View header, payload, and signature — no server upload, no tracking, fully private.
What Is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. A JWT is digitally signed, meaning it can be verified and trusted. Our free JWT decoder online lets you inspect the contents of any JWT token without sending it to a server.
Structure of a JWT
A JWT consists of three parts separated by dots:
header.payload.signature
Header
Contains the token type and signing algorithm (e.g., HS256, RS256).
Payload
Contains the claims — statements about an entity and additional data. Standard claims include sub, iat, exp.
Signature
Verifies the token hasn't been tampered with. Created by signing the encoded header and payload with a secret key.
What Is Base64Url Encoding?
JWT uses Base64Url encoding, which is a URL-safe variant of Base64.
Unlike standard Base64, it uses - instead of
+ and _ instead of
/, and omits padding =
characters. This JWT payload decoder automatically handles this encoding
when decoding tokens.
Common JWT Use Cases
- Authentication — Users receive a JWT after logging in, which they send with each request to verify their identity.
- API Authorization — Backend services use JWTs to authorize access to protected API endpoints.
- SaaS Sessions — SaaS platforms use JWTs to maintain session state across distributed microservices.
- Single Sign-On — SSO protocols like OpenID Connect use JWTs to transmit identity information.
- Password Reset — Time-limited JWTs encode password reset tokens with expiration claims.
Is JWT Secure?
JWT tokens are signed, not encrypted. The header and payload are Base64Url-encoded, not encrypted — anyone with the token can decode and read them. Never put sensitive data in a JWT payload. The signature ensures the token hasn't been modified, but it does not protect the contents from being viewed. Our JWT token decoder shows exactly what data is visible in any JWT.
JWT Token Example
Encoded JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded Header
{"alg":"HS256","typ":"JWT"} Decoded Payload
{"sub":"1234567890","name":"John Doe","iat":1516239022} JWT Decoder FAQ
What is a JWT?
JWT (JSON Web Token) is an open standard for securely transmitting information between parties as a JSON object. It consists of three parts: a header, a payload, and a signature, separated by dots. JWTs are widely used for authentication and authorization in modern web applications.
Is it safe to decode JWT tokens online?
Yes. This JWT decoder runs entirely in your browser with no server communication. Your token data never leaves your device. However, never paste production secrets or sensitive tokens into any online tool.
What is the difference between JWT and JWE?
JWT (JSON Web Token) is signed but not encrypted — anyone can read the contents. JWE (JSON Web Encryption) encrypts the payload so only the intended recipient can read it. Use JWT for tamper-proof data, and JWE for confidential data.
How does JWT expiration work?
JWTs include an exp (expiration) claim in the payload. This tool checks the exp claim and shows whether the token is valid or expired. Expired tokens should be rejected by servers and replaced with fresh tokens from the authentication provider.
Can I trust the data in a JWT?
The signature verifies that the JWT hasn't been modified since it was signed, but the header and payload are Base64Url-encoded, not encrypted. Anyone with the token can decode and read its contents. Never store sensitive data in a JWT payload.
What signing algorithms can JWT use?
JWT supports multiple signing algorithms: HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), and ES256 (ECDSA with SHA-256) are the most common. HS256 uses a shared secret, while RS256 and ES256 use a public/private key pair for asymmetric signing.
How do I decode a JWT token?
Paste your JWT token into the input field and click Decode. The tool will instantly decode the header and payload, display them as formatted JSON, and show the signature. All processing happens in your browser.
What is Base64Url encoding?
Base64Url is a URL-safe variant of Base64. It uses - instead of + and _ instead of /, and omits padding = characters. JWT uses Base64Url encoding for all three parts of the token to ensure safe transmission in URLs and HTTP headers.
Related Tools
Base64 Encoder
JWT uses Base64Url encoding — understand the foundation of every JWT token.
JSON Formatter
Format and validate JSON from decoded JWT header and payload data.
UUID Generator
Generate unique identifiers for JWT subjects and token IDs.
Hash Generator
Generate HMAC-SHA256 hashes — the signing algorithm used by HS256 JWTs.