JWT Decoder & Encoder
Decode, inspect, and verify JSON Web Tokens instantly. Paste any JWT to see its decoded header, payload claims, and signature. Supports HS256, RS256, and all standard algorithms. Ideal for debugging authentication flows, inspecting OAuth tokens, and building secure APIs. All processing is in-browser — your tokens never leave your device.
What is a JWT?
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a digitally signed JSON object. A JWT consists of three dot-separated Base64URL-encoded sections: Header, Payload, and Signature.
JWTs are stateless — all the information needed to authorise a request is embedded in the token itself, removing the need for server-side session storage.
JWT Structure
- HeaderToken type (
JWT) and signing algorithm, e.g.HS256,RS256 - PayloadClaims:
sub(subject),iat(issued at),exp(expiry), and custom claims - SignatureHMAC or RSA signature of header + payload, used to verify authenticity
- Format
xxxxx.yyyyy.zzzzz— three parts joined by dots
Security Notes
- JWT payloads are only Base64URL encoded — not encrypted. Never store sensitive data in the payload.
- Always verify the signature server-side — never trust unverified tokens.
- Prefer short expiry times (
exp) and use refresh tokens. - Use
RS256(asymmetric) for public APIs;HS256for internal services. - Store tokens in httpOnly cookies, not localStorage, to protect against XSS.
Common JWT Use Cases
API Auth
Debug Bearer tokens in REST API requests from Postman or browser DevTools.
OAuth / OIDC
Inspect access and ID tokens from Google, Auth0, or Okta OAuth flows.
SSO
Verify Single Sign-On tokens and check expiry and claim values.
Microservices
Inspect service-to-service JWTs for internal API authentication.