JWT Decoder

Decode JSON Web Tokens instantly to securely inspect claims and payloads. Never send sensitive tokens to the server.

Header will appear here

Payload will appear here

What is a JSON Web Token (JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

A typical JWT consists of three parts separated by dots (`.`):

  • Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
  • Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
  • Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

When should you use JSON Web Tokens?

  • Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

How to use this JWT Decoder tool

  1. Copy your JSON Web Token from your application's local storage, cookies, or authorization header.
  2. Paste the token into the Encoded Token textarea above.
  3. The tool will automatically split the token and decode the Base64Url encoded Header and Payload.
  4. Inspect the decoded JSON in the respective Header and Payload sections on the right.
  5. Verify that the data (claims) inside the token is correct for your debugging purposes.

Security Note: This tool runs entirely in your browser. Your JWTs are never sent to a server, ensuring that your sensitive tokens and data remain secure on your machine. However, as a best practice, never paste production JWTs with sensitive real-user data into any online tool.