JWT Decoder
Decode JSON Web Tokens securely in your browser without sending data anywhere.
Encoded JWT
Header (Algorithm & Type)
Payload (Data)
What is a JWT Token?
A JWT (JSON Web Token) is an open standard (RFC 7519) for transmitting information securely between parties as a compact, URL-safe JSON object. It consists of three Base64Url-encoded parts separated by dots:
- Header — specifies the token type (
JWT) and signing algorithm (e.g.,HS256,RS256) - Payload — contains "claims" (key-value pairs) such as user ID, role, expiration time, issuer, and subject
- Signature — verifies the token wasn't altered; requires the secret key to verify
Header . Payload . Signature
Common JWT Claims Reference
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who issued the token |
sub | Subject | Who the token is about (usually user ID) |
exp | Expiration | Unix timestamp when token expires |
iat | Issued At | Unix timestamp when token was issued |
aud | Audience | Intended recipients of the token |
nbf | Not Before | Token is not valid before this time |
jti | JWT ID | Unique identifier for the token |
Frequently Asked Questions
Is it safe to decode a production JWT token here?
Yes. All decoding happens entirely in your browser. The token is never sent to any server.
Does decoding verify the JWT signature?
No. Decoding reveals the payload contents but does NOT verify the signature. That requires the secret key.
What are common JWT claims?
iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience), nbf (not before), jti (JWT ID).
What is the difference between HS256 and RS256?
HS256 uses a shared secret (symmetric). RS256 uses a public/private key pair (asymmetric) — better for distributed systems.
Can I use this to decode JWTs from ASP.NET Core?
Yes. ASP.NET Core JWT middleware generates standard RFC 7519 tokens that this decoder handles perfectly.