JWT Decoder & Inspector

Paste any JSON Web Token and instantly see its decoded Header, Payload, and Signature — all inside your browser, nothing sent to a server.

100% FreeNo Sign-upRuns in BrowserPrivacy First

Paste a JWT on the left to decode it instantly.

Header · Payload · Signature — all decoded client-side.

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained method for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using either a secret (HMAC) or a public/private key pair (RSA or ECDSA).

JWTs are most commonly used for authentication and authorization in modern web applications. When a user signs in, the server issues a JWT. The client stores this token and sends it with every subsequent request — typically in the Authorization: Bearer <token> HTTP header — so the server can verify the user's identity without querying a database on every request.

Because JWTs are stateless, they scale perfectly in distributed and microservice architectures. OAuth 2.0, OpenID Connect, and many modern SSO providers all rely on JWTs as their primary token format.

Structure of a JWT — Header, Payload, Signature

A JWT consists of three Base64Url-encoded parts separated by dots (.):

1. Header (Red/Orange)

The header typically contains two fields: the type of the token (always JWT) and the signing algorithm being used, such as HS256, RS256, or ES256.

2. Payload / Claims (Purple)

The payload is the most important part. It contains claims — statements about the entity (typically a user) and additional metadata. There are three types of claims:

  • Registered claims: Predefined, recommended claims: sub (subject), iss (issuer), exp (expiration time), aud (audience), iat (issued at), nbf (not before).
  • Public claims: Custom claims agreed upon by parties using the JWT, registered in the IANA JSON Web Token Registry.
  • Private claims: Custom claims created to share information between parties that agree on using them.

3. Signature

To create the signature, the encoded header, encoded payload, a secret, and the algorithm are combined and signed. The signature verifies that the token hasn't been tampered with in transit. Critically, the payload is only encoded, not encrypted — anyone who obtains the token can read its claims. Never store sensitive data (passwords, PII) in a JWT payload.