JWT Decoder
Decode and inspect JWT tokens and bearer tokens online. View header, payload, signature, and expiration status.
100% Client-Side • Privacy ProtectedKey Features
- Decode JWT tokens and bearer tokens instantly
- View header, payload, and signature in readable JSON format
- Check token expiration status automatically
- Inspect all JWT claims (iss, sub, aud, exp, iat, etc.)
- Support for all JWT algorithms (HS256, RS256, ES256, etc.)
- Parse OAuth 2.0 and OpenID Connect tokens
- Privacy-first: All decoding happens in your browser
- No signup, no data upload, completely free
How to Use the JWT Decoder
- 1Copy your JWT token or bearer token from your application
- 2Paste it into the input field (we'll auto-extract the token from 'Bearer <token>' format)
- 3The decoder instantly displays the header, payload, and signature
- 4Review the decoded claims and check expiration status
- 5Verify the algorithm and token structure
Understanding JWT Structure
JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims between two parties. Understanding their structure is essential for modern web authentication and authorization.
What is a JWT Token?
A JWT (JSON Web Token) is a self-contained token format used for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: Header.Payload.Signature. JWTs are commonly used for authentication and information exchange in modern web applications, APIs, and microservices architectures.
JWT Header
The header typically consists of two parts: the token type (JWT) and the signing algorithm (e.g., HMAC SHA256 or RSA). The header is Base64Url encoded to form the first part of the JWT. Example: {"alg": "HS256", "typ": "JWT"}. The algorithm field indicates how the token signature should be verified.
JWT Payload (Claims)
The payload contains the claims - statements about an entity (typically the user) and additional data. There are three types of claims: registered claims (predefined like iss, exp, sub), public claims (custom but should be collision-resistant), and private claims (custom shared between parties). Common claims include exp (expiration time), iat (issued at), sub (subject/user ID), iss (issuer), and aud (audience).
JWT Signature
The signature is created by encoding the header and payload with Base64Url, concatenating them with a dot, and then signing the result using the algorithm specified in the header with a secret key. The signature ensures that the token hasn't been tampered with. To verify a JWT, the receiver must have access to the same secret key (for HMAC) or public key (for RSA/ECDSA).
Bearer Tokens Explained
Bearer tokens are a type of access token included in the HTTP Authorization header. The format is 'Authorization: Bearer <token>'. JWTs are commonly used as bearer tokens in OAuth 2.0 and OpenID Connect flows. When you paste a bearer token into our decoder, we automatically extract the JWT portion. Bearer tokens grant access to protected resources - anyone who possesses the token can use it, hence they must be kept secure and transmitted only over HTTPS.
Common JWT Use Cases
Authentication: After login, the server issues a JWT that the client includes in subsequent requests. The server validates the token without querying the database. Authorization: JWTs can contain user roles and permissions in the payload. Information Exchange: JWTs securely transmit information between services because you can verify the sender and ensure data integrity. Single Sign-On (SSO): One token can authenticate a user across multiple applications. Stateless API Authentication: No need to maintain server-side session storage.
Frequently Asked Questions
What is a JWT token?
A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64Url-encoded parts: header, payload, and signature, separated by dots. JWTs are commonly used for authentication and authorization in modern web applications.
What is a bearer token?
A bearer token is an access token included in the Authorization HTTP header using the format 'Authorization: Bearer <token>'. JWTs are frequently used as bearer tokens in OAuth 2.0 and OpenID Connect protocols. Anyone who possesses a bearer token can use it to access protected resources, so they must be transmitted securely over HTTPS.
Can I decode bearer tokens with this tool?
Yes! Our decoder automatically extracts the JWT from bearer token format. Simply paste the entire 'Bearer <token>' string or just the JWT portion. The decoder will handle both formats and display the decoded header, payload, and signature.
Is JWT decoding safe? Will my token be uploaded?
Absolutely safe. All JWT decoding happens entirely in your browser using JavaScript - nothing is sent to any server. Your tokens never leave your device. We don't collect, store, or transmit any data. You can verify this by checking your browser's network tab or inspecting our open-source code.
Can this tool verify JWT signatures?
Our tool decodes and displays the JWT structure but does not verify signatures because that would require access to your secret key. Signature verification should be done on your backend server where the secret key is stored securely. This tool is designed for inspection and debugging, not authentication.
What are JWT claims?
JWT claims are statements about an entity (usually the user) contained in the payload. Common registered claims include: exp (expiration time), iat (issued at time), sub (subject/user identifier), iss (issuer), aud (audience), and nbf (not before). You can also include custom private claims specific to your application.
JWT vs Session Authentication - what's the difference?
Session authentication stores user state on the server and uses a session ID in cookies. JWT authentication is stateless - all user information is encoded in the token itself. JWTs enable horizontal scaling and work well with microservices, but they cannot be easily revoked before expiration. Sessions require server-side storage but allow instant revocation.
What is the difference between JWE and JWT?
JWT (JSON Web Token) is for signing data to ensure integrity and authenticity. JWE (JSON Web Encryption) is for encrypting data to ensure confidentiality. JWTs are typically signed (JWS - JSON Web Signature) but not encrypted, meaning anyone can decode and read the payload. JWE encrypts the entire payload so only parties with the decryption key can read it.
Why does my JWT token show as expired?
JWTs include an 'exp' (expiration) claim that specifies when the token becomes invalid. Our decoder checks this timestamp against the current time and highlights expired tokens. Expired tokens should not be accepted by your API. Token expiration is a security feature to limit the window of potential misuse if a token is compromised.