JWT Decoder & Encoder

Note: JWT encoding is done client-side. Never use production secrets here.

About JWT

JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties.

Structure:

  • Header - Algorithm & token type
  • Payload - Claims (data)
  • Signature - Verification
Common Claims
  • iss - Issuer
  • sub - Subject
  • aud - Audience
  • exp - Expiration Time
  • nbf - Not Before
  • iat - Issued At
  • jti - JWT ID
Supported Algorithms
  • HS256 - HMAC SHA-256
  • HS384 - HMAC SHA-384
  • HS512 - HMAC SHA-512
  • RS256 - RSA (decode only)
  • ES256 - ECDSA (decode only)

JWT Decoder — Debug Tokens Without Sharing Your Secrets

Paste a JWT and see what's inside. Everything runs locally in your browser, so your tokens stay private. Handy when you're troubleshooting authentication flows or just want to peek at claims without digging through code.

What's a JWT, anyway?

JWT (pronounced "jot") is a compact token format defined in RFC 7519. It carries a JSON payload signed with a secret or key pair, letting servers trust the data without a database lookup. You'll find JWTs powering login sessions, API keys, and OAuth flows across the web.

What this tool does

When you might need this

JWT Questions

A signed JSON blob that servers can trust without database lookups. Contains claims (who you are, what you can do, when it expires) plus a signature proving it wasn't tampered with.

Header (algorithm used), Payload (the actual data/claims), Signature (proof it's legit). Each part is Base64URL encoded, separated by dots.

The signature is secure — tampering is detectable. But the payload is just encoded, not encrypted. Anyone can read it. Don't put secrets in there. And always use HTTPS.

Standard ones are iss (who issued it), sub (who it's for), exp (when it expires), iat (when issued). Add custom claims for roles, permissions, whatever your app needs.