← back to flaviocopes.com

JWT decoder

← All tools

Paste a JSON Web Token to inspect its header, payload, and expiry. Decoding happens entirely in your browser — nothing is sent to a server.

~~~

Token

Privacy: Your token never leaves the browser. No network requests are made. Still, avoid pasting production tokens anywhere as a habit.

This token has no signature segment — it is unsigned. Treat it as untrusted.

~~~

About JWTs

A JSON Web Token (JWT) is a compact, URL-safe string used to carry claims between parties. It has three dot-separated parts: a header (metadata like the signing algorithm), a payload (the claims — user ID, roles, expiry, custom data), and a signature (proof the token was not tampered with).

Registered claims include iss (issuer), sub (subject),aud (audience), exp (expiration), nbf (not before),iat (issued at), and jti (token ID). Any other key is a private or public custom claim.

Decoding a JWT shows you what is inside — it does not prove the token is genuine. Always verify the signature with the issuer's key before trusting claims for authentication or authorization. Tokens with alg: none or missing signatures must be rejected in production.

~~~

Read more