Decode, inspect, and verify JSON Web Tokens entirely client-side. Nothing is sent to any server.
Paste a JWT above and click Decode to get started.
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It is widely used for authentication and authorization in web applications. A JWT consists of three Base64Url-encoded parts separated by dots:
Header — Contains metadata: the signing algorithm (alg) and token type (typ).
Payload — Contains claims: statements about the user and additional data. Registered claims include iss, sub, aud, exp, nbf, iat, and jti.
Signature — Created by signing the encoded header and payload with a secret or private key. Used to verify the token has not been tampered with.
⚠️ Security Note: JWTs are encoded, not encrypted. Anyone can decode the header and payload. Never store sensitive information in a JWT payload unless it is also encrypted (JWE).