JWT Decoder

Decode JWT (JSON Web Token) header and payload, and check expiration status.

JWT Token
About JWT
Structure Header.Payload.Signature
Note This tool only decodes the token. It does not verify the signature.
What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs can be signed using a secret (HMAC) or a public/private key pair (RSA/ECDSA). They're commonly used for authentication and information exchange in web applications.

JWT Structure

A JWT consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). Each part is Base64Url encoded. The signature ensures the token hasn't been tampered with, but the header and payload can be decoded by anyone.

Common Use Cases
  • User authentication and authorization
  • Single Sign-On (SSO) systems
  • API authentication
  • Secure information exchange between services
  • Stateless session management
Standard Claims
iss Issuer - Who created and signed the token
sub Subject - Who the token is about (usually user ID)
aud Audience - Intended recipient of the token
exp Expiration - Unix timestamp when token expires
iat Issued At - Unix timestamp when token was created
Frequently Asked Questions

Are JWTs encrypted?

Standard JWTs (JWS) are signed but not encrypted - anyone can read the payload. For encrypted tokens, use JWE (JSON Web Encryption). Never store sensitive data in regular JWTs.

How do I invalidate a JWT?

JWTs are stateless by design and can't be directly invalidated. Common strategies include short expiration times, token blacklists, or changing the signing key (invalidates all tokens).