We use cookies to understand how DevToolsHub is used and to improve your experience. You can choose which types of cookies to allow.
Decode JWT tokens and inspect header, payload, and signature.
Loading...
Loading...
A JWT Decoder is a developer tool that decodes JSON Web Tokens (JWTs) into their three constituent parts β the header, payload, and signature β so you can inspect the claims and metadata encoded inside. JWTs are compact, URL-safe tokens defined by RFC 7519 and are widely used in modern web applications for authentication, authorization, and secure information exchange.
A JWT consists of three base64url-encoded segments separated by dots:header.payload.signature. The header describes the token type and signing algorithm. The payload contains claims β statements about an entity (typically a user) and additional metadata. The signature is used to verify the token has not been tampered with. Our JWT Decoder reverses the base64url encoding on the header and payload, presenting them as readable JSON, and displays the raw signature string.
Common use cases for a JWT Decoder include debugging authentication tokens during development, inspecting claims issued by your identity provider, checking token expiration times, verifying the correct audience and issuer are set, and understanding what information your auth server is embedding in tokens. Whether you are building OAuth 2.0 flows, working with OpenID Connect, or debugging a microservice authentication issue, a JWT Decoder is an essential tool in your development workflow.
A JWT is composed of three parts, each encoded using base64url encoding and joined by dots. Here is what each part contains:
The header is a JSON object that identifies the token type (typ, typically "JWT") and the cryptographic algorithm (alg) used to sign the token. Common algorithms include HMAC with SHA-256 (HS256), RSA with SHA-256 (RS256), and ECDSA with SHA-256 (ES256). The header may also contain a key ID (kid) to help the verifier select the correct key.
The payload contains claims β statements about an entity and additional data. There are three types of claims:
iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID).role, name, email, or permissions.All timestamps in JWT claims are Unix timestamps measured in seconds (not milliseconds).
The signature is created by taking the base64url-encoded header, the base64url-encoded payload, and signing them with a secret key (for HMAC algorithms) or a private key (for RSA/ECDSA). The signature ensures the token has not been modified after it was issued. To verify a JWT, the recipient re-computes the signature using the shared secret or public key and compares it to the signature in the token.
JWTs use base64url encoding β a variant of standard base64 that replaces + with - and / with _, and omits padding (= characters). This makes JWTs safe to use in URLs, query parameters, and HTTP headers without additional encoding. The JWT Decoder reverses this encoding to reveal the original JSON content.
β οΈ This tool only DECODES JWTs. It does NOT verify the signature.Decoding a JWT is like reading an open letter β anyone can do it. Verification is like checking the sender's signature with a notary β it proves authenticity. Never trust decoded JWT claims without proper signature verification in your backend.
Loading...