
JWT Decoder
Easily decode and inspect your JSON Web Tokens (JWTs). Paste your token and instantly view the header, payload, and signature—all formatted and readable.
Header will be displayed here
Payload will be displayed here
Signature verification will be displayed here
What is JWT?
JWT stands for JSON Web Token. It's an open standard (RFC 7519) used for securely transmitting information between parties as a JSON object.
JWTs are commonly used for:
-
Authentication: After a user logs in, the server issues a JWT that the client includes in future requests (usually in the Authorization header). This proves the user's identity without needing to re-authenticate each time.
-
Authorization: Once authenticated, the server checks the token's payload to determine what the user is allowed to access—like roles, scopes, or permissions.
-
Information Exchange: JWTs can securely transmit data between parties. Since they are signed, the receiver can verify the token hasn't been tampered with.
-
Stateless Sessions: JWTs enable stateless authentication, meaning the server doesn’t need to store session data in memory or a database. Everything is stored in the token itself.
-
Single Sign-On (SSO): JWTs are popular in SSO systems where the token lets users access multiple applications or services with one login.
Here's an example of a JWT (JSON Web Token). It's made up of three parts, separated by dots. You can see each part in a different color so you can easily tell them apart.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0. KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
These three parts are:
-
Header – contains the type of token and the signing algorithm used.
-
Payload – contains the claims (user data or other metadata).There are three types of claims:
- Registered claims: Predefined claims like iss (issuer), exp (expiration), sub (subject), etc.
- Public claims: Custom claims defined by the user.
- Private claims: Claims shared between the two parties that agree on the content.
-
Signature – ensures the token hasn't been tampered with.
-
Verified Signature: This means the signature is valid. The header and payload have not been changed since the token was signed with the correct secret.
-
Invalid Signature: This indicates that the signature could not be verified. This can happen for a few reasons:
- The token (header or payload) was altered after it was signed.
- The secret provided is incorrect.
- The signing algorithm is not supported for verification by this tool (e.g., RS256, which requires a public key).
-