JWT Decoder — Tutorial

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and data exchange. It consists of three parts: header, payload, and signature, separated by dots.

JWT Structure

Format: header.payload.signature

• Header: Describes the token type (JWT) and signing algorithm (HS256, RS256, etc.)
• Payload: Contains claims (data) about the user or context (sub, exp, iat, etc.)
• Signature: Used to verify the token hasn't been tampered with

Common claims

• sub (subject): User ID or identifier
• exp (expiration): Unix timestamp when token expires
• iat (issued at): Unix timestamp when token was created
• iss (issuer): Who issued the token
• aud (audience): Who the token is intended for

Example JWT

Official documentation

• JWT.io - Official JWT website
• RFC 7519 - JWT Specification
• MDN: Crypto API for verification

How to use the JWT Decoder

1. Paste or drop a JWT — Paste a JWT string or drop a file containing a JWT.
2. Decode — Click Decode to view the header, payload, and signature.
3. Output actions — Copy the decoded result or download it as a text file.
4. History — Last 5 decoded JWTs are stored locally. Use Clear history to remove them.

Open the tool: JWT Decoder

Privacy & limits

• All decoding is performed locally in your browser; no data is uploaded.
• Max file size: 2 KB.

Troubleshooting

• Invalid JWT: Ensure your input has exactly three parts separated by dots (header.payload.signature).
• Signature verification: This tool only decodes JWTs; it doesn't verify signatures. Use server-side libraries for verification.
• Malformed Base64: If decoding fails, the JWT may have invalid Base64 encoding in header or payload.
• Expired tokens: Check the exp claim to see if the token has expired.
• Large tokens: JWTs with large payloads may slow down the browser.

Security considerations

• Never trust unverified JWTs - always verify signatures server-side
• Sensitive data: JWT payloads are only Base64 encoded, not encrypted
• Token storage: Store JWTs securely (httpOnly cookies recommended over localStorage)
• Expiration: Always check the exp claim and implement token refresh