Decode and inspect JSON Web Tokens (JWT). View header, payload, and verify structure without any server.
exp, iat, sub, and custom dataJSON Web Tokens (JWTs) are an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims/data), and the Signature. JWTs are widely used in authentication flows — when a user logs in, the server issues a JWT that the client includes in subsequent requests. Understanding what's inside a JWT is crucial for debugging authentication issues, auditing expiry times, and inspecting claims during development. This decoder runs entirely in your browser, so your tokens never leave your machine.
A JWT (JSON Web Token) is a compact, URL-safe way to represent claims between two parties. It's commonly used for authentication — a server issues a JWT after login, and the client sends it with each request to prove identity.
Yes. This decoder runs entirely in your browser using JavaScript. Your JWT is never sent to any server. However, avoid sharing JWTs publicly as they may grant access to protected resources.
Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA) used to sign the token. This decoder shows the raw signature bytes — to verify, you need the corresponding key from your auth server.
'exp' is the expiration claim — a Unix timestamp indicating when the token expires. If the current time is past this value, the token is no longer valid. Use our Timestamp Converter to read it.
JWT is a token format, while OAuth is an authorization framework. OAuth often uses JWTs as the token format (access tokens), but they're separate concepts. OAuth defines the flow; JWT defines the token structure.