JWT Decoder & Inspector

Decode, visualize, and understand your JSON Web Tokens. 100% client-side — no data leaves your browser. Auto-decodes as you type

Paste your JWT token here:

Ctrl+Enter to decode · Decodes automatically after 500ms

What is a JWT (JSON Web Token)?

JWT is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. This information is digitally signed, ensuring integrity and authenticity. JWTs are widely used for authentication and data exchange in modern web applications.

JWT Structure

A JWT consists of three parts separated by dots (.):

Header — token type (JWT) and signing algorithm (e.g., HS256, RS256).
Payload — the claims: user ID, roles, expiration, etc.
Signature — verifies the token wasn't altered. Calculated from header + payload + secret.

Standard Claims Explained

🔹 iss — token issuer
🔹 sub — subject
🔹 aud — audience
🔹 exp — expiration time
🔹 nbf — not before
🔹 iat — issued at
🔹 jti — JWT ID

Frequently Asked Questions

What is the difference between a signed and an encrypted token?

A signed JWT (JWS) guarantees integrity and authenticity, but the content is readable by anyone (it's base64url encoded, not encrypted). An encrypted JWT (JWE) hides the content — only the recipient with the private key can decrypt it. For authentication, signed JWTs are most common.

HS256 or RS256 — which algorithm should I use?

HS256 (HMAC with SHA-256) uses a symmetric shared secret. Simple, but both sides must hold the secret.
RS256 (RSA with SHA-256) uses a public/private key pair. Better for distributed systems — only the auth server holds the private key.

How does this decoder handle the signature?

This tool decodes header and payload entirely client-side. It displays the raw signature but cannot verify it without the secret. It's an inspection tool, not a cryptographic validator.

Is my data sent to a server?

No. All processing happens directly in your browser via JavaScript. Your token never leaves your machine.

Why does Base64 decoding not equal decryption?

Base64url is simply an encoding format, not encryption. It converts binary data into printable ASCII characters. Anyone with the token can decode the header and payload — which is why you should never store sensitive data (passwords, credit cards) in a JWT payload.

What does "exp" mean and how do I check token expiration?

The exp claim is a Unix timestamp (seconds since Jan 1, 1970 UTC). This decoder automatically compares it to the current time and shows a live countdown. A token is expired if the current Unix timestamp is greater than exp.

What is the maximum size of a JWT?

There's no official limit, but browsers typically support cookies up to 4KB and HTTP headers up to 8KB. In practice, JWTs should be kept under 4KB. A bloated payload (too many claims or large values) will slow down every request that includes the token.