JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are commonly used for authentication and authorization in web APIs.

All decoding happens in your browser — nothing is sent to any server. However, JWT payloads often contain sensitive data (user IDs, emails, roles). As a best practice, avoid pasting tokens from production systems. Use test or mock tokens instead.

iss (Issuer) — who issued the token. sub (Subject) — who the token is about. aud (Audience) — intended recipient. exp (Expiration) — Unix timestamp after which the token is invalid. iat (Issued At) — when the token was created. nbf (Not Before) — token is not valid before this time. jti (JWT ID) — unique identifier for the token.

Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/EC algorithms like RS256). These should never be shared with any client-side tool. This decoder only shows the decoded content — your backend should always validate the signature before trusting any claims.