What is a JWT (JSON Web Token)?
A JSON Web Token is a compact string with three Base64URL-encoded parts separated by dots: header, payload, and signature. It’s commonly used to transmit claims between parties.
Why use a JWT decoder?
- Inspect claims like exp, iss, aud, scopes, roles, and custom fields when debugging auth.
- Confirm the header metadata (like alg/kid) matches what your identity provider is issuing.
- Learn the structure of JWTs without needing extra tooling.
Security reminder
Decoding a JWT only reveals its contents. It does not prove the token is valid or trustworthy—always verify the signature with the correct key before relying on claims.
JWT decoder FAQ
Does this JWT decoder verify signatures?
No. It only decodes the header and payload so you can inspect claims. Signature verification requires the correct key and should be done server-side or with a trusted verifier.
Is it safe to paste a JWT here?
Decoding happens in your browser, but JWTs can contain sensitive data. Avoid pasting production tokens or anything you wouldn’t share in logs.
Why does my token say “invalid Base64URL” or “3 parts required”?
A JWT must have exactly three dot-separated parts: header.payload.signature. Extra spaces, missing dots, or non-Base64URL characters will break decoding.
How do I read exp / iat / nbf values?
These claims are usually Unix timestamps (seconds). Use the Unix Timestamp Converter tool to convert them into human-readable dates.
What does “alg” mean in the header?
“alg” indicates the signing algorithm used for the token (for example HS256 or RS256). It’s metadata—trust still depends on verifying the signature.