JWT Decoder

Easily decode and inspect your JSON Web Tokens (JWTs). Paste your token and instantly view the header, payload, and signature—all formatted and readable.

DevelopmentSecurityAuthentication

JWT Token:

Secret (optional for signature verification):

Header:

Header will be displayed here

Payload:

Payload will be displayed here

Signature Verification:

Signature verification will be displayed here

What is JWT?

JWT stands for JSON Web Token. It's an open standard (RFC 7519) used for securely transmitting information between parties as a JSON object.

JWTs are commonly used for:

Authentication: After a user logs in, the server issues a JWT that the client includes in future requests (usually in the Authorization header). This proves the user's identity without needing to re-authenticate each time.
Authorization: Once authenticated, the server checks the token's payload to determine what the user is allowed to access—like roles, scopes, or permissions.
Information Exchange: JWTs can securely transmit data between parties. Since they are signed, the receiver can verify the token hasn't been tampered with.
Stateless Sessions: JWTs enable stateless authentication, meaning the server doesn’t need to store session data in memory or a database. Everything is stored in the token itself.
Single Sign-On (SSO): JWTs are popular in SSO systems where the token lets users access multiple applications or services with one login.

Here's an example of a JWT (JSON Web Token). It's made up of three parts, separated by dots. You can see each part in a different color so you can easily tell them apart.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0. KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

These three parts are:

Header – contains the type of token and the signing algorithm used.
Payload – contains the claims (user data or other metadata).There are three types of claims:
- Registered claims: Predefined claims like iss (issuer), exp (expiration), sub (subject), etc.
- Public claims: Custom claims defined by the user.
- Private claims: Claims shared between the two parties that agree on the content.
Signature – ensures the token hasn't been tampered with.
- Verified Signature: This means the signature is valid. The header and payload have not been changed since the token was signed with the correct secret.
- Invalid Signature: This indicates that the signature could not be verified. This can happen for a few reasons:
  - The token (header or payload) was altered after it was signed.
  - The secret provided is incorrect.
  - The signing algorithm is not supported for verification by this tool (e.g., RS256, which requires a public key).