JWT Decoder & Validator
Decode and inspect JSON Web Tokens instantly. No data is sent to any server.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It is the standard way to represent verified claims between two parties — most commonly used for authentication and authorization in REST APIs and single-page applications.
When a user logs in, the server creates a JWT signed with a secret or private key and sends it to the client. The client includes this token in subsequent requests (usually as a Bearer token in the Authorization header), and the server validates it without needing to look up a session in the database. This makes JWTs ideal for stateless, scalable APIs.
JWT Structure Explained
Every JWT consists of three Base64url-encoded parts joined by dots: header.payload.signature
Header
A JSON object that declares the token type (typ: "JWT") and the signing algorithm (alg), such as HS256, RS256, or ES256.
Payload
A JSON object containing claims — statements about the user or session. Standard registered claims include sub (subject / user ID), iss (issuer), exp (expiry timestamp), and iat (issued-at timestamp). Custom claims can be added freely. Note: the payload is not encrypted — anyone can read it.
Signature
The signature is computed by signing the encoded header and payload with a secret or private key. It allows the server to verify that the token has not been tampered with. Without knowing the secret, an attacker cannot forge a valid signature.
How JWT Decoding Works
Decoding a JWT simply means reversing the Base64url encoding applied to the header and payload. Because Base64url is not encryption, no key or secret is required to read the contents. This is by design — the payload is meant to be readable, just not modifiable without detection.
This tool splits the token at each dot, decodes each of the first two parts using the browser's built-in atob function and TextDecoder for full UTF-8 support, then formats the result as readable JSON. All processing happens locally in your browser — nothing is sent to a server. This is also why your JWT payload needs to be free of sensitive data you wouldn't want others to see.
How to Validate a JWT
Proper JWT validation involves more than just decoding. A server should check all of the following:
- Structure: The token must have exactly three dot-separated parts.
- Signature: Re-sign the header and payload with the expected key and compare. This tool supports HMAC algorithms (HS256, HS384, HS512).
- Expiry (exp): Reject tokens where the current time is past the
exptimestamp. - Issuer (iss): Confirm the token was issued by a trusted source.
- Audience (aud): Confirm the token is intended for your application.
Skipping any of these checks — especially signature verification — is a common source of JWT-related security vulnerabilities.
Common JWT Errors
TokenExpiredError
The exp claim is in the past. The client should request a new token (e.g. refresh token flow).
JsonWebTokenError: invalid signature
The signature does not match. Usually caused by a wrong secret, a different algorithm, or a tampered token.
JsonWebTokenError: jwt malformed
The token does not have three dot-separated parts, or the parts are not valid Base64url. Often caused by copying a truncated or broken token.
Algorithm mismatch
The algorithm declared in the header does not match what the server expects. This is also a common attack vector — always enforce a specific algorithm server-side.
Frequently Asked Questions
Is JWT encrypted?
No. A standard JWT (also called JWS — JSON Web Signature) is signed, not encrypted. The header and payload are only Base64url-encoded, which is trivially reversible. Anyone who has the token can read its contents. If you need to hide the payload, use JWE (JSON Web Encryption) instead.
Can a JWT be hacked or tampered with?
The payload can be read by anyone, but it cannot be modified without detection as long as the server verifies the signature. If an attacker changes the payload, the signature will no longer match, and the server will reject the token. Risks arise when servers skip verification or use predictable secrets.
How do I verify a JWT signature?
For HMAC tokens (HS256, HS384, HS512), re-sign the header.payload string with the shared secret and compare it to the signature part. This tool does exactly that using the browser's Web Crypto API — enter your secret in the Verify Signature section above. For RSA or ECDSA tokens, you need the issuer's public key.
What is the exp claim in a JWT?
exp stands for expiration time. It is a Unix timestamp (number of seconds since 1970-01-01 00:00:00 UTC) that indicates when the token becomes invalid. A server must reject any token whose exp is in the past. This tool automatically detects and highlights expired tokens.
Is it safe to paste a JWT here?
All decoding and signature verification happens entirely in your browser using the Web Crypto API. Nothing is sent to any server. That said, it is still good practice to avoid pasting live production tokens containing sensitive user data.