JSON Web Tokens (JWTs) are used everywhere in modern authentication. This guide explains the JWT structure and how to decode and inspect tokens safely online.
โก Try It Free โ No Signup
Works instantly in your browser. No account, no install.
Open JWT Decoder โWhat Is a JWT?
A JSON Web Token is a compact, URL-safe token format used for authentication and information exchange. JWTs are signed so their contents can be verified, but they are not encrypted by default โ anyone can read the payload.
JWT Structure
A JWT has three Base64URL-encoded parts separated by dots:
header.payload.signature
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE1MTYyMzkwMjJ9.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cJWT Claims (Payload Fields)
| Claim | Meaning |
|---|---|
| sub | Subject (user ID) |
| iss | Issuer (who created the token) |
| exp | Expiration time (Unix timestamp) |
| iat | Issued at (Unix timestamp) |
| aud | Audience (intended recipient) |
Security Warning
Never paste production JWTs into untrusted online tools โ a JWT may contain sensitive claims and is sufficient to authenticate as that user until it expires. Our tool processes JWTs entirely in your browser; nothing is sent to any server.
Frequently Asked Questions
Can anyone read my JWT payload?
Yes โ the payload is Base64URL encoded, not encrypted. Anyone with the token can decode it. Never store sensitive data (passwords, credit cards) in a JWT payload.
Does decoding verify the signature?
Our decoder shows the decoded contents but does not verify the signature (that requires the secret key). To verify, use your backend library.
What's the difference between HS256 and RS256?
HS256 uses a shared secret (HMAC). RS256 uses a public/private key pair (RSA). RS256 is preferred for distributed systems since you can share the public key for verification without exposing the signing key.
How long should a JWT last?
Access tokens: 15 minutes to 1 hour. Refresh tokens: days to weeks. Short-lived tokens minimize damage from theft.