JWT Decoder
Decode JSON Web Tokens (JWT) instantly.
Header
Payload
About This Tool
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are overwhelmingly used for stateless authentication on the web. This tool allows you to paste an encoded Token and instantly view its decoded Header (algorithm type) and Payload (user claims, expiration date).
When to Use
- Debugging failed logins to see if the token contains the correct user ID or roles.
- Checking the 'exp' (expiration) claim to see when a token expires.
- Verifying what signing algorithm (e.g. HS256, RS256) is defined in the token header.
Practical Examples
Standard FormateyJh... (Header) . eyJw... (Payload) . signature_hash
Decoded Date"iat": 1672531200 means Issued At: Jan 01 2023
Common Mistakes to Avoid
- Pasting the token with a 'Bearer ' prefix prefixed to it. A valid JWT string should start directly with 'ey' (which is the Base64 encoding of '{').
- Assuming a JWT is encrypted. By default, JWTs are only *encoded* (Base64) and *signed* (Signature), but they are plain text! Do not put sensitive data (like passwords) in a standard JWT.
Frequently Asked Questions
Q. Does this tool verify the signature?A. No, this tool performs pure decoding. Checking the signature requires your server's secret key which should never be exposed to the browser.
Q. Why do JWTs start with 'ey'?A. Because JWT headers invariably begin with '{"alg":...' or '{"typ":...'. When you Base64 encode '{"', the result always starts with 'ey'.