JWT Decoder/Encoder

Decode and encode JSON Web Tokens (JWT) for debugging, development, and security testing. Paste a JWT or create a new one below.

📖 New to JWTs? Read our JWT Explained guide — structure, signing algorithms, and security rules.

JSON Web Tokens

JWTs (JSON Web Tokens) are the standard for passing authentication data between services. They look like three base64 strings separated by dots: header.payload.signature. This tool decodes the first two parts so you can see what's inside.

Note: Anyone can decode a JWT - they're not encrypted. The signature only proves the token wasn't tampered with; it doesn't hide the contents. Never put sensitive data in JWT claims.

JWT Structure

  • Header: Algorithm and token type
  • Payload: Claims (user data, expiration, etc.)
  • Signature: Verification hash

Understanding JSON Web Tokens

JWTs consist of three Base64-encoded parts separated by dots: header, payload, and signature. The header specifies the algorithm (like HS256 or RS256). The payload contains claimsstandard claims like "exp" (expiration), "iat" (issued at), "sub" (subject), or custom claims for your application. The signature verifies the token wasn't tampered with.

JWTs are widely used for authentication because they're statelessservers don't need to store session data. The token contains all necessary user information, signed to prevent tampering. However, JWTs can't be invalidated before expiration (without additional infrastructure like token blacklists), so short expiration times and refresh tokens are common patterns.

When Developers Actually Use This

JWTs (JSON Web Tokens) are three Base64-encoded sections joined by dots — header, payload, and signature. When you're debugging an authentication problem, the payload is where all the interesting information lives: the user ID, their roles, when the token was issued, and critically, when it expires. A common debugging scenario is a user reporting they're being logged out unexpectedly. You grab their token from the browser's local storage or from a network request in DevTools, paste it here, and immediately see "exp": 1711234567 — converting that Unix timestamp tells you the token expired 3 hours ago, which explains everything.

Another frequent use is verifying that your backend is correctly embedding the right claims when issuing tokens. If a user should have an admin role but certain features aren't unlocking, decoding their token confirms whether the role claim is actually present, whether it's spelled correctly, and whether it's in the format your frontend code expects — string vs array vs nested object. This kind of inspection takes 10 seconds with a decoder and 10 minutes without one.

Frequently Asked Questions

Can I decode a JWT without the secret key?

Yes! The header and payload are simply Base64-encoded, not encrypted. Anyone can decode and read them. The secret key is only needed to verify the signature and to create new valid tokens. Never put sensitive information in JWT payloads.

What's the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric)both creator and verifier need the same key. RS256 uses public/private key pairs (asymmetric)only the issuer needs the private key; anyone can verify with the public key. RS256 is more secure for distributed systems.

How should I store JWTs on the client?

Options include localStorage (vulnerable to XSS), httpOnly cookies (safer, vulnerable to CSRF), or in-memory (safest but lost on refresh). For most web apps, httpOnly cookies with CSRF protection offer the best security balance.

Can JWTs be revoked?

A major JWT limitation is that they're statelessonce issued, they're valid until expired. To revoke JWTs, you need a token blacklist (defeating statelessness) or short expiration times with refresh tokens. Consider your revocation needs when designing your system.

What claims should I include?

Standard claims: iss (issuer), sub (subject/user ID), exp (expiration), iat (issued at). Add custom claims for user roles, permissions, or context. Avoid sensitive dataJWTs are readable by anyone with the token. Keep payloads small for performance.

When should I NOT use JWTs?

Avoid JWTs for sessions needing immediate revocation (logout everywhere), storing sensitive data, or when payload size is a concern. Simple server-side sessions may be better for traditional web apps. JWTs excel in microservices, APIs, and stateless architectures.