🔐 Encoding & Security
✅ 100% Free
⚡ Instant
JWT Decoder
Decode and inspect any JSON Web Token. View the header algorithm, all payload claims, expiry status (valid or expired), and issuer — all without needing the secret key.
Paste a JWT token above.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims about the user and token), and a signature (for verifying the token was not tampered with). JWTs are widely used for stateless authentication in REST APIs and single-page applications.
Frequently Asked Questions
The header and payload are simply Base64URL-encoded — anyone can decode them. The signature prevents tampering. Never store sensitive data in JWT payloads since they can be decoded by anyone with the token. Verification requires the secret key, which this tool does not do.
HS256 uses a shared secret key — same key to sign and verify. RS256 uses public/private key pair — server signs with private key, clients verify with public key. RS256 is more secure for distributed systems since you never share the signing key.
JWTs are stateless — once issued the server cannot invalidate them. Expiry limits damage if a token is stolen. Short expiry (15–60 min) is recommended for access tokens. Use refresh tokens with longer lifetimes to get new access tokens.
Copied!