What Is a JWT Decoder?
A JWT (JSON Web Token) decoder extracts and displays the contents of a JWT without requiring the secret key. JWTs are a compact, URL-safe format for transmitting claims between parties, commonly used for authentication and API authorization.
How to Use This JWT Decoder
- Paste your JWT string into the input field.
- Click “Decode” to decode.
- View the decoded header and payload as formatted JSON.
Key Concepts
A JWT consists of three parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains claims such as “sub” (subject), “iat” (issued at), and “exp” (expiration time). Both header and payload are Base64URL-encoded JSON. The signature is created using the header, payload, and a secret key to verify integrity.
Frequently Asked Questions
Is it safe to decode JWTs in the browser?
Yes. Decoding a JWT only reads the already-visible header and payload. The sensitive part is the signing secret, which is not included in the token itself. However, avoid sharing JWTs publicly as they may contain personal data.
Can I verify the signature with this tool?
This tool decodes the token to show its contents. Signature verification requires the secret key or public key, which is typically done server-side for security reasons.
What does the “exp” claim mean?
The “exp” (expiration time) claim is a Unix timestamp indicating when the token becomes invalid. Applications should reject tokens where the current time exceeds the exp value.