JWT Decoder (Read-only)
Decode and verify JWT tokens online. Inspect JSON Web Token headers, payloads, and signatures for authentication debugging and development
Example
JWT Decoder FAQ and Usage Guide
What is JWT?
JWT (JSON Web Token) is a standard for securely transmitting information using JSON objects. Primarily used for authentication and information exchange. It consists of three parts: Header, Payload, and Signature, separated by dots (.).
What is the structure of JWT?
JWT consists of three parts:
- Header: Token type and hashing algorithm information (e.g., HS256, RS256)
- Payload: Actual data to transmit (claims)
- Signature: Signature to verify token integrity
Format: header.payload.signature
Does this tool verify JWT?
No. This tool only decodes and displays the contents of JWT. It's a read-only tool. It does not verify signatures, so it doesn't check token validity. Actual verification must be performed on the server side using the secret key.
Can I put sensitive information in JWT?
No. The JWT Payload is only Base64-encoded, not encrypted. Anyone can decode and read the contents, so you should never include sensitive data like passwords or personal information in JWT.
Where is JWT used?
Main use cases:
- Authentication: Server issues JWT after user login, then authenticates with token for subsequent requests
- Information Exchange: Data integrity guaranteed by signature
- Single Sign-On (SSO): Authenticate across multiple services with one token
What information goes in the Payload?
The Payload contains pieces of information called claims:
- Registered claims: Standard claims (iss, exp, sub, aud, etc.)
- Public claims: Publicly defined claims
- Private claims: Custom claims (userId, name, role, etc.)
Is my data safe?
Yes! All processing happens only in your browser. Your JWT token is never sent to any server and is not stored anywhere.