About this tool
Decodes a JSON Web Token and shows the header, payload, claims, and validity state. Useful for debugging authentication, understanding what data an application is passing in a token, checking if a token has expired, or simply seeing what's inside that long string that appeared in your cookies.
How to use
- Paste the JWT in the input field.
- See the header with algorithm and type, and the payload with the claims.
- Check the state: whether the token is expired, not yet valid, or within range.
- Inspect standard claims (iss, sub, exp, iat) and custom ones.
Frequently asked questions
- Does decoding verify the signature?
- No. JWTs are signed, not encrypted. This tool decodes the header and payload (which are plain Base64) without needing the secret key. To verify the signature, you need the key the issuer used, and that key isn't part of the token. Decoding is for inspecting content, not for validating authenticity.
- Can I read sensitive claims in a JWT?
- Yes, and it's important to know: a JWT payload is in plain text (Base64), not encrypted. Anyone with access to the token can read everything inside. Don't put passwords, card numbers, or sensitive personal data in a JWT, even if it's signed.
- Which claims are standard?
- iss (issuer, who issued the token), sub (subject, who it refers to), aud (audience, who it's for), exp (expiration, when it expires), nbf (not before, before this it isn't valid), iat (issued at, when it was issued), jti (unique token identifier). Other claims may be application-specific.