JWT Decoder

Decode and inspect a JSON Web Token's header, payload and claims without verifying.

Configuration Parameters

Paste JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "GeneratorAll",
  "iat": 1716239022
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Knowledge Base & Educational Companion: Anatomy of a JSON Web Token

A JWT is a compact, URL-safe token made of three Base64url parts separated by dots: a header, a payload of claims, and a signature. It is widely used for stateless authentication.

1. Header & Payload

The header names the signing algorithm and token type; the payload carries claims like subject, expiry and roles. Both are merely Base64url-encoded, not encrypted, so anyone can read them.

2. The Signature

The signature is computed over the header and payload using a secret or private key. It proves the token was not altered, but verifying it requires the key — which this decoder does not do.

3. Decode, Don't Trust

Because the payload is readable by anyone, never store secrets in a JWT. Always verify the signature server-side before trusting any claim.

SEO Target Indexed Keywords: jwt decoder, decode json web token, jwt parser online, jwt payload viewerLocale Tag: en