JWT Decoder

Decode and inspect JWT tokens — view header, payload claims, timestamps, and signature. Nothing leaves your browser.

Frequently Asked Questions

Common questions about the JWT Decoder tool.

JSON Web Token — a compact, URL-safe format for signed claims. Structure: `header.payload.signature`, each part Base64URL-encoded. Commonly used for session tokens, OIDC ID tokens, and API auth.

Yes — the header and payload are Base64URL-encoded, not encrypted. The secret only protects the signature (for verification). Assume anyone can read the payload; never put secrets in the payload.

JWS is a signed JSON token (what most people call JWT). JWE is an encrypted JSON token — the payload is confidential. JWT is the general term covering both.

Fetch the issuer's JWKS (`/.well-known/jwks.json`), find the key matching the `kid` in the header, and verify the signature using the algorithm in the `alg` header. Never trust `alg: none`.

More Free Tools

WHOIS Lookup

MAC Address Vendor Lookup

Subnet / CIDR Calculator

Hash Generator

Password Generator

Base64 Encode / Decode

Microsoft Tenant ID Finder

Port Check

JWT Decoder

Results

Frequently Asked Questions

What is a JWT?

Can I decode a JWT without the secret?

What's the difference between JWT, JWS and JWE?

How do I verify a JWT's signature?

More Free Tools