JWT Decoder

Decode and inspect JSON Web Tokens instantly. Client-side only.

Token

About JWT Tokens

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. They consist of three parts: a header, a payload, and a signature.

Header

Contains the token type and signing algorithm (e.g., HS256, RS256).

Payload

Contains the claims: user data, expiration, issuer, and custom fields.

Signature

Verifies the token hasn't been tampered with. Cannot be verified client-side without the secret.

How to Use This JWT Decoder

  1. Paste your JWT token — Copy the full token string (starting with eyJ...) into the input field above.
  2. View decoded header and payload instantly — The header reveals the signing algorithm and token type, while the payload shows all claims and user data.
  3. Check expiration status — If the token contains an exp claim, the decoder will show whether the token is still valid or has expired.

Common JWT Claims

iss

Issuer — identifies who created the token

sub

Subject — identifies the principal (usually a user ID)

exp

Expiration — Unix timestamp after which the token is invalid

iat

Issued At — Unix timestamp when the token was created

aud

Audience — intended recipient of the token

nbf

Not Before — token is not valid before this timestamp

jti

JWT ID — unique identifier to prevent token replay

JWT Security Best Practices

  • Always validate signatures server-side before trusting token contents
  • Check expiration (exp) before trusting any claims
  • Use HTTPS for all token transmission to prevent interception
  • Keep signing keys secret and rotate them periodically
  • Set reasonable expiration times — shorter-lived tokens reduce risk

FAQ

Can this tool verify JWT signatures?

This tool decodes only. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA) and should always be performed server-side as part of your authentication flow.

Is it safe to paste my JWT here?

Yes. All decoding happens entirely in your browser using JavaScript. No data is sent to any server — you can verify this by checking the network tab in your browser's developer tools.

What algorithms does JWT support?

Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA-SHA256). The algorithm is specified in the token's header under the alg field.

Related Tools

Webhook Signature Validator JSON Formatter URL Encoder

Secure your webhook endpoints?

HookWatch supports JWT and HMAC signature verification for all incoming webhooks.

Get Started Free