JWT Decoder
Decode and inspect JSON Web Tokens — view header, payload, claims, and expiry status.
What is a JWT Token?
A JSON Web Token (JWT) is a compact, URL-safe token used for authentication and information exchange. JWTs contain three Base64-encoded parts: a header (algorithm and type), a payload (claims like user ID, roles, and expiration), and a signature for verification. This decoder lets you inspect any JWT without needing the secret key.
Common Use Cases
- •Debugging authentication issues by inspecting token claims
- •Verifying token expiration time (exp claim)
- •Checking user roles and permissions encoded in JWTs
- •Inspecting the signing algorithm (HS256, RS256, etc.)
- •Decoding JWTs from API responses or browser storage
Frequently Asked Questions
Is it safe to decode JWTs in the browser?
Yes. The header and payload of a JWT are only Base64-encoded, not encrypted — anyone with the token can read them. The signature ensures the token hasn't been tampered with, but decoding the payload doesn't require the secret key.
What is the difference between HS256 and RS256?
HS256 uses a shared secret key for both signing and verification (symmetric). RS256 uses a private key to sign and a public key to verify (asymmetric). RS256 is more secure for distributed systems because you never need to share the private key.