What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS) or encrypted using JSON Web Encryption (JWE).

What are the three parts of a JWT?

A JWT consists of three parts separated by dots (.): the Header, the Payload, and the Signature. The Header typically contains the token type and the signing algorithm. The Payload contains the claims (statements about an entity). The Signature is used to verify that the sender of the JWT is who it says it is and that the message hasn't been changed along the way.

Is decoding a JWT the same as validating it?

No, decoding a JWT simply translates the Base64Url-encoded parts into readable JSON. It does not verify the token's signature. Validation involves checking the signature to ensure the token hasn't been tampered with and that it was issued by a trusted source, which requires the secret key.

JWT Decoder

Inspect the header, payload, and signature of JSON Web Tokens. Understand your tokens instantly.

Enter JWT

Decoded Header

Decoded Payload

Signature Status

About JSON Web Tokens (JWT)

JSON Web Tokens (JWT) are an open, industry-standard RFC 7519 method for representing claims securely between two parties. They are widely used for authentication and authorization in modern web applications, allowing information to be securely transmitted as a compact, URL-safe string.

Technical Details of JWT Structure

A JWT is composed of three parts, separated by dots, which are Base64Url-encoded:

Header: Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used (e.g., HMAC SHA256 or RSA).
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are registered claims (e.g., iss, exp, sub), public claims, and private claims.
Signature: Created by taking the encoded header, the encoded payload, a secret, and the algorithm specified in the header, and signing it. This signature is used to verify that the sender of the JWT is who it says it is and that the message hasn't been changed along the way.

Common Questions

Can this tool validate the JWT signature?

No, this tool only decodes the Base64Url-encoded parts of the JWT (header and payload) for inspection. It does not validate the signature, as signature validation requires the secret key, which should never be exposed in a client-side tool.

What are common JWT claims?

Common claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before time), iat (issued at time), and jti (JWT ID). Custom claims can also be added to the payload.

Is it safe to paste sensitive information into this decoder?

While this is a client-side tool and your JWT is not sent to our servers, it is generally not recommended to paste highly sensitive or confidential JWTs into any online tool. Always exercise caution and understand the implications of exposing token content.