Paste a JWT on the left to decode it instantly.
Header · Payload · Signature — all decoded client-side.
Paste any JSON Web Token and instantly see its decoded Header, Payload, and Signature — all inside your browser, nothing sent to a server.
Paste a JWT on the left to decode it instantly.
Header · Payload · Signature — all decoded client-side.
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained method for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using either a secret (HMAC) or a public/private key pair (RSA or ECDSA).
JWTs are most commonly used for authentication and authorization in modern web applications. When a user signs in, the server issues a JWT. The client stores this token and sends it with every subsequent request — typically in the Authorization: Bearer <token> HTTP header — so the server can verify the user's identity without querying a database on every request.
Because JWTs are stateless, they scale perfectly in distributed and microservice architectures. OAuth 2.0, OpenID Connect, and many modern SSO providers all rely on JWTs as their primary token format.
A JWT consists of three Base64Url-encoded parts separated by dots (.):
The header typically contains two fields: the type of the token (always JWT) and the signing algorithm being used, such as HS256, RS256, or ES256.
The payload is the most important part. It contains claims — statements about the entity (typically a user) and additional metadata. There are three types of claims:
To create the signature, the encoded header, encoded payload, a secret, and the algorithm are combined and signed. The signature verifies that the token hasn't been tampered with in transit. Critically, the payload is only encoded, not encrypted — anyone who obtains the token can read its claims. Never store sensitive data (passwords, PII) in a JWT payload.