My Simple Apps

JWT Decoder

Paste a JWT to decode its header and payload.

JWT Input

Actions

Decoded Output

Paste a JWT above to see the decoded header and payload here.

How it Works

  • Paste your JSON Web Token (JWT) into the input area above.
  • The tool automatically decodes the Header and Payload sections.
  • It checks if the token format is valid (three parts separated by dots).
  • If an expiration claim ('exp') exists, it checks if the token is expired.
  • All decoding happens in your browser. Your JWT is never sent to any server, ensuring privacy.
  • The signature part of the JWT is not verified as this requires the secret key used to sign the token.

Frequently Asked Questions

What is a JSON Web Token (JWT)?

A JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs typically consist of three parts: Header, Payload, and Signature, separated by dots (.).

Can this tool verify the JWT signature?

No, this tool cannot verify the signature. Signature verification requires the secret key or the public key (depending on the algorithm) that was used to sign the token. Since this tool operates entirely client-side and doesn't have access to your secrets, it only decodes the Header and Payload, which are Base64URL encoded. Always verify the signature on your backend using the appropriate key before trusting the token's content.

Is it safe to paste my JWT here?

Yes. This tool processes the JWT entirely within your web browser using JavaScript. Your token is never transmitted over the network or sent to any server. The decoding logic runs locally on your machine, ensuring the privacy of your token's contents. However, be cautious about where you paste sensitive tokens; only use tools you trust.

What do the 'iat', 'exp', 'sub' claims mean?

These are standard "Registered Claims" defined in the JWT specification:
- iat (Issued At): Timestamp when the token was issued.
- exp (Expiration Time): Timestamp when the token expires and should no longer be accepted.
- sub (Subject): Identifies the principal that is the subject of the JWT (e.g., user ID).
There are other registered claims, and you can also include custom "Private Claims".

How does signature verification work?

This tool now supports signature verification in two ways:
1. Public Key Verification: Paste the public key (in PEM format) that corresponds to the private key used to sign the JWT.
2. JWKS Verification: Provide a JWKS (JSON Web Key Set) URL where the public keys can be fetched. This is common for OAuth/OIDC providers.

All verification happens client-side using the Web Crypto API. For RS256, ES256, and other asymmetric algorithms, you'll need the public key. For HS256 and other symmetric algorithms, you'll need the secret key (be cautious sharing this).