JWT Decoder

JSON Web Tokens (JWTs) are the standard way to represent authentication and authorization information in modern web applications. After logging in to a service, your browser typically receives a JWT that it sends with every subsequent request. The server reads the token to know who you are and what you are allowed to do — without needing to query a database on every request.

A JWT is composed of three parts separated by dots: the header, the payload, and the signature. The header specifies the algorithm used to sign the token (e.g., HS256 or RS256). The payload contains claims — JSON key-value pairs encoding information like user ID, roles, expiration time, and issuer. The signature ensures the token has not been tampered with.

This tool decodes the header and payload sections so you can inspect their contents. Common debugging scenarios include checking whether a token has expired (the "exp" claim), seeing which user or subject the token represents ("sub"), verifying the issuer ("iss"), and inspecting custom application claims added by your auth provider.

Note that decoding a JWT is not the same as verifying it. Anyone can decode a JWT — the payload is simply Base64Url-encoded, not encrypted. The signature verification (which requires the secret key) is what ensures the token is genuine. Use this tool for inspection and debugging, not for security checks. All decoding runs locally in your browser.