JWT Decoder
Paste a JSON Web Token to decode its header and payload, inspect claims, and check expiry status.
Related tools
About the JWT Decoder
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. JWTs are widely used for authentication and authorization — they are issued by an identity provider after login and sent with subsequent API requests to prove identity and permissions without requiring a database lookup on every call.
JWT structure
A JWT consists of three Base64URL-encoded segments separated by dots: header.payload.signature. The header specifies the token type and signing algorithm. The payload contains claims — statements about the user and session metadata. The signature is used to verify the token hasn't been tampered with.
Standard claims
| Claim | Meaning |
|---|---|
| iss | Issuer — who created the token |
| sub | Subject — who the token refers to (usually a user ID) |
| aud | Audience — intended recipients of the token |
| exp | Expiration — Unix timestamp after which the token is invalid |
| iat | Issued at — Unix timestamp when the token was created |
| nbf | Not before — Unix timestamp before which the token must not be accepted |
Signature verification
This tool decodes and displays the header and payload but does not verify the signature. Signature verification requires the secret key (HMAC algorithms like HS256) or the public key (asymmetric algorithms like RS256, ES256). Always verify signatures server-side before trusting any claims from a JWT.
Privacy
JWT decoding happens entirely in your browser — tokens are never sent to any server. That said, be careful pasting production tokens containing sensitive data into any online tool. Learn more about how Dev-Utilities handles privacy.