JWT Token Decoder

Decode and inspect JWT tokens online. View the header, payload, and signature from any JSON Web Token instantly.

Paste JWT Token

JWT Structure Reference

JWT Structure

A JWT consists of three Base64URL-encoded parts separated by dots: Header.Payload.Signature

Header

Algorithm + Type

Payload

Claims / Data

Signature

Verification

Header Fields

Field	Name	Description
alg	Algorithm	Signing algorithm (HS256, RS256, ES256, etc.)
typ	Type	Token type, typically "JWT"
kid	Key ID	Identifier for the signing key used
jku	JWK Set URL	URL to the JSON Web Key Set
x5u	X.509 URL	URL to the X.509 certificate chain

Registered Payload Claims

Claim	Name	Description
iss	Issuer	Entity that issued the JWT
sub	Subject	Subject of the JWT (user ID)
aud	Audience	Recipient(s) the JWT is intended for
exp	Expiration	Timestamp after which the JWT expires
nbf	Not Before	Timestamp before which the JWT is not valid
iat	Issued At	Timestamp when the JWT was issued
jti	JWT ID	Unique identifier for the JWT

Frequently Asked Questions

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts: a Header (algorithm and token type), a Payload (claims/data), and a Signature. JWTs are widely used for authentication and authorization in web applications and APIs.

Can a JWT be decoded without the secret key?

Yes, the header and payload of a JWT are only Base64URL-encoded, not encrypted. Anyone with the token can decode and read these parts. The secret key is only needed to verify the signature, which confirms the token has not been tampered with. This is why you should never store sensitive information in the JWT payload.

What is the difference between JWT and session cookies?

Session cookies store a session ID on the client, with the actual session data kept on the server. JWTs are self-contained tokens that carry all necessary data within the token itself. JWTs are stateless and work well in distributed systems and APIs, while session cookies require server-side storage. JWTs can be larger than session IDs but eliminate the need for server-side session lookups.