Decode and inspect JWT tokens instantly. Extracts and displays the Header, Payload (claims), and Signature sections. Shows expiration time, issued-at, subject, and all custom claims — no secret key required for decoding.
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a JSON object. Commonly used for authentication.
A standard JWT (JWS) is signed but NOT encrypted. The payload can be decoded by anyone. Use JWE for confidentiality.
A JWT has three parts: the Header specifies the algorithm (e.g. HS256); the Payload contains claims such as user ID, expiration time (exp), and issuer (iss); the Signature is computed by signing the header and payload with a secret key to verify that the token has not been tampered with. Decoding a JWT requires no key, but verifying the signature does.
Verifying a JWT signature requires a key: HMAC (HS256) uses a shared secret; RSA/ECDSA uses a public key. This tool only decodes the token content — it does not verify the signature (no key available). In application code, use official libraries (jsonwebtoken for Node.js, PyJWT for Python) for full verification, including signature validation, exp expiry check, and iss/aud claim validation. Never trust JWT content without verifying the signature.