JWT Token Decoder — Inspect JSON Web Token Header, Payload and Claims

Our free JWT decoder lets you instantly decode and inspect any JSON Web Token (JWT) — viewing the header algorithm, payload claims, expiry time, issuer and subject without needing to verify the signature. All decoding is done entirely in your browser. Your JWT token is never sent to any server, making this tool safe to use with real tokens during development and debugging.

What is a JWT Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are widely used for authentication and authorisation in REST APIs, single-page applications, microservices and OAuth 2.0 flows. A JWT consists of three Base64URL-encoded parts separated by dots:

• Header — contains the token type (JWT) and signing algorithm (HS256, RS256, etc.)
• Payload — contains the claims: sub (subject/user ID), iss (issuer), exp (expiry), iat (issued at), and any custom claims
• Signature — cryptographic signature used to verify the token hasn't been tampered with (requires the secret key to verify)

JWT Security Best Practices

• Always verify the signature server-side — never trust a JWT purely based on its decoded content
• Use short expiry times (15 minutes for access tokens) combined with refresh tokens
• Use RS256 (asymmetric) rather than HS256 (symmetric) for public APIs — the private key signs, the public key verifies
• Never store JWTs in localStorage — use httpOnly cookies to prevent XSS attacks
• Always validate the iss (issuer) and aud (audience) claims server-side
• Maintain a token revocation list or use short expiry to handle logout scenarios

Common JWT Claims Reference

• sub — Subject (usually user ID)
• iss — Issuer (who created the token)
• aud — Audience (intended recipient)
• exp — Expiration time (Unix timestamp)
• iat — Issued at (Unix timestamp)
• nbf — Not before (token not valid before this time)
• jti — JWT ID (unique identifier for the token)