> decode | inspect | verify <
// Decode and inspect JSON Web Tokens (JWT) instantly
Local Processing
100% client-side JWT decoding. Your tokens never leave your browser.
Auto-Decode
Automatically decode JWT tokens as you paste or type. No button clicks needed.
Full Token Inspection
View header, payload, and signature. Check algorithm, expiration, and all claims.
// ABOUT JWT DECODING
JWT Structure:
A JSON Web Token (JWT) consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm and token type. The payload contains claims (data). The signature verifies the token's integrity using the algorithm specified in the header.
Example:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.signature → {"alg":"HS256"} + {"sub":"1234"}
Common Use Cases:
- >Debugging authentication tokens in web applications
- >Inspecting OAuth 2.0 and OpenID Connect tokens
- >Verifying token expiration and claims
- >Understanding JWT structure per RFC 7519
- >Checking Base64URL encoding integrity
>> frequently asked questions
Q: What is a JSON Web Token (JWT)?
A: JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It is compact, URL-safe, and commonly used for authentication and information exchange in web applications.
Q: What are the three parts of a JWT?
A: A JWT consists of three parts separated by dots: the Header (algorithm and token type), the Payload (claims and data), and the Signature (verification hash). Each part is Base64URL-encoded.
Q: Can a JWT be decoded without the secret key?
A: Yes, the header and payload of a JWT can be decoded by anyone since they are simply Base64URL-encoded (not encrypted). The secret key is only needed to verify the signature. This is why you should never store sensitive data in a JWT payload.
Q: What is the difference between JWT and session-based authentication?
A: Sessions store state on the server and use a session ID cookie. JWTs are stateless — the token itself contains all necessary information. JWTs are better for distributed systems and APIs, while sessions offer easier revocation and smaller request sizes.
Q: How does JWT expiration work?
A: The exp claim in the JWT payload specifies the expiration time as a Unix timestamp (seconds since epoch). After this time, the token should be considered invalid. This decoder checks the exp claim and shows whether the token is still valid or expired.