What is a JWT?
JWT stands for JSON Web Token used for secure authentication.
Tool workspace
Decode JWT tokens instantly. Inspect payload data and claims from JSON Web Tokens safely in your browser.
Output
JWT Decoder allows developers to inspect JSON Web Tokens by decoding their payload. JWTs are commonly used for authentication and authorization in web applications and APIs.
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0 . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output
Warnings
⚠ No exp claim — token never expires, which is a security risk for long-lived sessions
⚠ No iss (issuer) claim — origin of token cannot be verified
⚠ No aud (audience) claim — any service could accept this token
⚠ No jti (JWT ID) claim — token cannot be individually revoked or tracked
⚠ HS256: Ensure the secret is at least 256 bits (32 bytes) of random data — weak secrets are brute-forceable
Status
Token : ⚠ NO EXPIRY
Algorithm: HS256 (HMAC)
Key size : 256-bit
Note : Symmetric — same secret signs and verifies. Never expose the secret.
Timing
Issued at : 2018-01-18T01:30:22.000Z (unix: 1516239022) (2987d 11h ago)
Expires : never
Claims
sub (subject) : 1234567890
Custom claims:
name: "John Doe"
admin: true
Header
{
"alg": "HS256",
"typ": "JWT"
}
Payload
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022
}
Signature
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
⚠ Signature is NOT verified — this tool decodes only.
⚠ Decoding does not prove the token is authentic or untampered.JWT tokens contain three parts: header, payload, and signature. The payload is Base64URL encoded JSON containing claims about the user or request.
JWT stands for JSON Web Token used for secure authentication.
This tool only decodes the payload.
User claims and token metadata.
Yes tokens are processed locally.
Yes decoding does not depend on validity.
No JWT payloads are already readable after decoding.