JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (specifying the algorithm), a payload (containing claims like user ID or expiry time), and a signature that verifies the token has not been tampered with.

Claims are statements about an entity (typically a user) stored in the JWT payload. Standard registered claims include iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued-at time), and nbf (not-before time). Applications can also add custom private claims for application-specific data.

No — signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256 or ES256), which are not provided to this tool. This decoder only inspects the header and payload, which is useful for debugging claims and expiry times. Never treat an unverified JWT as trusted data.

This tool processes your JWT entirely in your browser — it never sends the token to any server. However, as a general security practice, avoid pasting real production tokens from live user sessions into any online tool, as tokens that haven't expired could be misused if intercepted. Use test or already-expired tokens when possible.

Session cookies store a session ID on the server and look up user data on each request, requiring server-side session storage. JWTs are self-contained: the token itself carries user data and is verified mathematically without a database lookup. JWTs are stateless and work well for distributed systems, but cannot be invalidated before expiry without additional infrastructure like a token denylist.