Free Online JWT Decoder & Inspector
Decode and inspect JSON Web Tokens. View header, payload, claims, and check expiration status.
HEADER Algorithm & Token Type
PAYLOAD Claims & Data
SIGNATURE
What is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in web applications and APIs. When a user logs in, the server issues a JWT that the client includes in subsequent requests to prove identity.
JWTs are self-contained — they carry all the information needed to verify the bearer's identity, reducing the need for server-side session storage.
JWT Structure: Header, Payload, Signature
A JWT consists of three parts separated by dots (.):
- Header — Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256)
- Payload — Contains claims (statements about the user and metadata) such as user ID, name, roles, and expiration time
- Signature — Created by signing the encoded header and payload with a secret key, ensuring the token hasn't been tampered with
Common JWT Claims
Standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID for uniqueness). Custom claims can carry any application-specific data.
Security Considerations
Never store sensitive data (passwords, credit cards) in JWT payloads — they are only encoded, not encrypted. Always transmit JWTs over HTTPS. Validate tokens server-side before granting access. Set reasonable expiration times and implement token refresh flows for long-lived sessions.
Test APIs with JWT Authentication?
Download RestForge for full API testing with Bearer token auth, pre-request scripts, environment variables, and more.