JWT Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, and signature.

0 characters

What is a JWT Decoder?

A JWT (JSON Web Token) decoder is a tool that decodes and displays the contents of JWT tokens. JWTs are commonly used for authentication and information exchange in web applications. This tool helps you inspect JWT contents without verifying the signature.

What is a JSON Web Token (JWT)?

JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. A JWT consists of three parts separated by dots:

  • Header: Contains token type and signing algorithm (e.g., HS256, RS256).
  • Payload: Contains claims (statements about the user and metadata). Use our JSON Formatter to beautify the JSON payload data.
  • Signature: Ensures the token hasn't been tampered with.

The header and payload are Base64-encoded - if you need to manually decode Base64 data, use our Base64 Decoder tool.

When Do You Need a JWT Decoder?

  • Debugging Authentication: Inspect JWT tokens to verify their contents during development.
  • API Testing: View the claims and expiration time in API responses.
  • Security Analysis: Examine JWT structure and claims for security auditing.
  • Token Inspection: Quickly view token contents without writing code.
  • Learning: Understand how JWTs work by examining real tokens.

Important Security Note

Warning: This tool only decodes JWTs; it does not verify signatures. A decoded JWT is not necessarily valid or trustworthy. Always verify JWT signatures on your server before trusting the contents.

Common JWT Claims

  • iss (issuer): Who issued the token
  • sub (subject): The subject of the token (usually user ID)
  • aud (audience): Who the token is intended for
  • exp (expiration): When the token expires (Unix timestamp)
  • iat (issued at): When the token was issued
  • nbf (not before): Token is not valid before this time

How to Use This JWT Decoder

  1. Paste your JWT token in the input field above.
  2. Click the "Decode JWT" button.
  3. View the decoded header, payload, and signature in the output field.
  4. Use the "Copy Result" button to copy the decoded content.

Is This Tool Secure?

Yes. All processing happens in your browser. Your JWT tokens are never sent to any server, ensuring complete privacy. However, be cautious about decoding sensitive tokens in shared or public environments.

JWT Decoding in Programming Languages

Most languages have JWT libraries for decoding and verifying tokens. Here are examples (decode only, without verification):

PHP

// Using firebase/php-jwt
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
$decoded = JWT::decode($token, new Key($key, 'HS256'));

JavaScript

// Using jsonwebtoken library
const jwt = require('jsonwebtoken');
const decoded = jwt.decode(token); // No verification

Python

# Using PyJWT
import jwt
decoded = jwt.decode(token, options={"verify_signature": False})

Go

// Using golang-jwt/jwt
import "github.com/golang-jwt/jwt/v5"
token, _ := jwt.Parse(tokenString, nil)
claims := token.Claims.(jwt.MapClaims)

Java

// Using java-jwt
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
DecodedJWT jwt = JWT.decode(token);

Ruby

# Using ruby-jwt
require 'jwt'
decoded = JWT.decode(token, nil, false)

C#

// Using System.IdentityModel.Tokens.Jwt
using System.IdentityModel.Tokens.Jwt;
var handler = new JwtSecurityTokenHandler();
var token = handler.ReadJwtToken(jwtToken);