JWT Decode & Inspect

1. Paste a JWT token into the input area.
2. The header, payload, and signature are decoded instantly.
3. Check the token status to see if it is expired.
4. Click "Copy" on any section to copy its content.

What is JWT Decode?

JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. This tool decodes a JWT and displays its three components: the header (algorithm and type), the payload (claims and data), and the signature.

Decoding a JWT does not require a secret key; it simply Base64URL-decodes each part. This is useful for debugging authentication flows, inspecting token claims, and checking expiration times. All processing happens in your browser; no data is sent to any server.

What Each JWT Part Contains

The header specifies the signing algorithm (alg), usually HS256 (HMAC-SHA256) or RS256 (RSA-SHA256), and the token type (typ). The payload holds claims: registered ones like sub (subject), iss (issuer), and aud (audience), plus any custom data your app needs. The signature is a cryptographic hash of the header and payload using a secret key, which prevents tampering.

JWTs Are Signed, Not Encrypted

This trips up a lot of developers. A standard JWT (JWS) is just base64-encoded, so anyone can read the payload. The signature only proves the token hasn't been modified, not that the contents are secret. Never put sensitive data like passwords or SSNs in a JWT payload. If you need encrypted tokens, look into JWE (JSON Web Encryption), though most apps don't need it.

Understanding exp and iat Claims

The exp (expiration) claim is a Unix timestamp marking when the token becomes invalid. The iat (issued at) claim records when the token was created. Both are in seconds, not milliseconds. Short-lived tokens (15 minutes to 1 hour) paired with refresh tokens are the standard pattern. If your API rejects a token that looks valid, check exp first, as clock skew between servers is a common culprit.

JWT vs Session Cookies

JWTs work well for stateless APIs and microservice architectures where you don't want a shared session store. Session cookies are simpler for traditional server-rendered apps and are easier to revoke (just delete the session). JWTs can't be revoked without a blocklist, which defeats the stateless advantage. Pick the approach that fits your architecture; not every app needs JWTs.

JWTs use Base64URL encoding internally. Try our Base64 Encoder/Decoder to understand the underlying encoding. For verifying data integrity with hashes, use the SHA-256 Hash Generator. You can also generate secure tokens with the Random String Generator.