JWT Decoder and Inspector
Decode JSON Web Tokens instantly in your browser. Inspect header details, payload claims, expiration times, and analyze token security parameters.
Paste a JSON Web Token (JWT) above to decode its header and payload claims instantly in your browser.
How to decode a JWT token
Decoded JSON Web Tokens are retrieved by splitting the token string at the dot separators and base64url decoding the header and payload segments. Anyone can decode and read these parts without a secret key since they are only encoded, not encrypted.
Paste your token into the decoder above to see all three parts as formatted JSON. The tool also converts Unix timestamps to readable dates, identifies standard claims like sub, iss, and exp, and flags security issues like missing expiry or the dangerous alg: none algorithm. All decoding happens in your browser with no data sent anywhere. Use our [JSON formatter](/tools/json-formatter) to clean up raw JSON blocks, or verify formatting syntax rules with our [regex tester](/tools/regex-tester).
What information is stored in a JWT payload?
A JSON Web Token payload stores claims which are key-value pairs representing statements about the user and additional metadata. Standard claims contain user identifiers, token issuers, and expiration timestamps, while custom claims hold application-specific data like roles and permissions.
Because JWT payloads are only Base64url encoded and not encrypted, anyone who intercepts a JWT can read its contents. Never store passwords, credit card numbers, or other sensitive data in a JWT payload. If you need to include sensitive data, use JWE (JSON Web Encryption) which actually encrypts the payload, unlike standard JWTs which only encode it. If you need to convert keys or strings to binary, use our [Base64 encoder and decoder](/tools/base64-encoder).
Common JWT security vulnerabilities to know
The most critical security vulnerability in JSON Web Tokens is the use of the alg none algorithm, which allows attackers to forge tokens by removing the signature. Other common security issues include omitting expiration claims, using weak symmetric signing secrets, and failing to validate the token signature on the server.
Other common issues include storing JWTs in localStorage where they are vulnerable to XSS attacks. Use HttpOnly cookies for token storage in browsers, keep expiry times short (15 to 60 minutes for access tokens), and always validate the signature server-side before trusting any claim in the payload.
Frequently asked questions about JWT tokens
What is a JWT token?
A JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information between parties. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (claims and data), and a signature for verification. JWTs are commonly used for authentication and API authorization.
How do I decode a JWT token?
Paste your JWT token into the input above. The decoder splits the token at the dots, Base64url-decodes each part, and displays the header and payload as formatted JSON. No key or secret is needed to decode the header and payload since they are only encoded, not encrypted.
Is it safe to decode a JWT online?
This decoder processes everything entirely in your browser using JavaScript. No token data is sent to any server. However, JWT payloads often contain sensitive user data like user IDs, emails, and roles. Avoid decoding production tokens containing real user data in any online tool.
What are JWT claims?
JWT claims are key-value pairs in the payload that carry information about the token. Standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID). Custom claims can contain any application-specific data like user roles or permissions.
What does exp mean in a JWT?
The exp claim is the expiration time, stored as a Unix timestamp (seconds since January 1, 1970). After this time, the token should be rejected. The decoder above converts the exp timestamp to a human-readable date and shows whether the token is currently valid or expired.
Can a JWT be decrypted or verified without the secret?
The header and payload can be decoded by anyone since they are Base64url encoded, not encrypted. The signature cannot be verified without the secret key or public key. This means anyone who intercepts a JWT can read its contents, which is why sensitive data should not be stored in JWT payloads without additional encryption.
What is the difference between HS256 and RS256 in JWT?
HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify. RS256 is more secure for distributed systems because the verification key can be shared publicly without exposing the signing key.
What does alg: none in a JWT header mean?
alg: none means the token has no signature and cannot be verified. This is a critical security vulnerability. Servers that accept alg: none tokens are vulnerable to attacks where anyone can forge tokens by setting alg to none and removing the signature. Always reject tokens with alg: none in production.
How long should a JWT token be valid?
Access tokens should typically be short-lived: 15 minutes to 1 hour. Refresh tokens can be longer: 7 to 30 days. Short expiry limits the window of damage if a token is stolen. The decoder above shows the exact expiry time and how long until the token expires or how long ago it expired.
What is the maximum size of a JWT token?
There is no official maximum size, but HTTP headers typically have a 4KB to 8KB limit depending on the server. Most JWTs are under 500 bytes for simple access tokens. Avoid storing large amounts of data in JWT payloads. If your JWT is over 1KB, consider moving some claims to a database lookup.