JWT Decoder
Decode and inspect JSON Web Token (JWT) header, payload, and claims instantly in your browser. Client-side only — your token never leaves your device.
Frequently Asked Questions
What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token used to transmit claims between parties. It is commonly used for authentication and authorization in web applications and APIs. A JWT consists of three Base64url-encoded parts: a header, a payload, and a signature, joined by dots.
What are the three parts of a JWT?
The header contains metadata such as the token type and signing algorithm (e.g. HS256). The payload contains claims — statements about the user or session, including standard claims like "exp" (expiry), "iat" (issued at), and "sub" (subject). The signature is used to verify the token has not been tampered with.
Is it safe to decode JWTs in the browser?
Yes — decoding is safe. The header and payload are Base64url-encoded, not encrypted, and anyone with the token can read them. However, verification (checking the signature) requires the secret key, which should never leave the server. Never put sensitive secrets inside the JWT payload.