JWT Decoder

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains claims — key-value pairs carrying information like user ID, roles, and expiration time. The signature ensures the token hasn't been tampered with. JWTs are widely used for authentication (after login, the server issues a JWT that the client sends with each request) and authorization (the token's claims determine what the user can access).

No. JWT signature verification requires the signing key — either a shared secret (HMAC algorithms like HS256) or a public key (asymmetric algorithms like RS256 or ES256). Since this is a client-side tool, we don't have access to your keys. We can decode the token (show you what's inside) but not verify it (confirm it's authentic and untampered). For signature verification, use server-side libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).

This tool runs 100% in your browser — no data is sent to any server. However, as a general security practice, avoid pasting production tokens that contain sensitive information into online tools you don't trust. For production JWTs, you can decode them directly in your browser console: JSON.parse(atob(token.split('.')[1])). Development and staging tokens are safe to decode anywhere since they contain test data.

HS256 (HMAC-SHA256) is a symmetric algorithm — the same secret key is used to both sign and verify the token. Both the issuer and the verifier must share the secret. RS256 (RSA-SHA256) is an asymmetric algorithm — the issuer signs with a private key, and anyone can verify with the corresponding public key. RS256 is preferred when multiple services need to verify tokens without sharing secrets (e.g., microservices architecture, third-party integrations).

The exp (expiration) claim is a Unix timestamp (seconds since January 1, 1970 UTC) that defines when the token expires. After this time, the token should be rejected by the server. Short-lived tokens (e.g., 15 minutes) reduce the window of misuse if a token is compromised. Pair them with refresh tokens for a good balance of security and user experience. If a JWT doesn't have an exp claim, it never expires — which is generally a security risk.

Base64URL is a URL-safe variant of Base64 encoding defined in RFC 4648. It replaces + with - and / with _, and omits the = padding characters. This makes the output safe to use in URLs, HTTP headers, and cookies without percent-encoding. JWTs use Base64URL (not standard Base64) for all three parts. If you try to decode a JWT part with standard atob(), you may need to first replace - with + and _ with /, and add padding.