Tank myipcat
Home  /  Tools  /  JWT Decoder

JWT Decoder

Decode any JWT token to see its header, payload, and signature. Stays in your browser โ€” tokens are never sent anywhere.

Inputs

Tokens stay in your browser โ€” they are never sent to any server. Decode only, no verification.

What a JWT actually is

A JSON Web Token (JWT) is three Base64URL-encoded parts joined by dots: header.payload.signature. The header and payload are JSON objects that anyone can decode โ€” they're not encrypted, just encoded. The signature proves the token wasn't tampered with, and verifying it requires the secret/key.

Common header fields

  • alg โ€” algorithm: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA), or none.
  • typ โ€” always "JWT".
  • kid โ€” key ID, when the verifier needs to know which key to use.

Common payload claims

  • iss โ€” issuer (who created the token)
  • sub โ€” subject (who the token is about โ€” usually a user ID)
  • aud โ€” audience (who the token is for)
  • exp โ€” expiration time (Unix timestamp)
  • iat โ€” issued at (Unix timestamp)
  • nbf โ€” not before (Unix timestamp โ€” token invalid before this time)
  • jti โ€” JWT ID (unique identifier, prevents replay)
Security caveat

Anyone with a JWT can read its contents. Never put sensitive data in the payload โ€” passwords, PII, secrets. The signature only proves authenticity, not confidentiality. If you need confidentiality, use JWE (JSON Web Encryption) instead.