Skip to main content

// tool

JWT Decoder

Inspect any JWT in your browser. Nothing is sent to a server.

Decoding happens in your browser. Nothing is sent to a server.

Anatomy of a JWT

A JWT is three base64url-encoded segments separated by dots. The decoder above splits them for you:

  • Header: algorithm (alg), token type (typ), and sometimes a key id (kid) to tell the server which key signed this token.
  • Payload: the claims. Standard ones include iss (issuer), sub (subject), aud (audience), exp (expiry, UNIX seconds), iat (issued at), nbf (not before).
  • Signature: used to verify the token was issued by the holder of the key. This decoder does not verify signatures, decoding is a separate concern from validating.

Security note

Decoding a JWT is trivial, the payload is not encrypted. Don't put secrets in a JWT payload. Always verify the signature server-side before trusting any claim.

// related simulators

SSL/TLS Handshake Simulator

Visualize how SSL/TLS handshakes work with certificate verification, key exchange, and cipher negotiation. Compare TLS 1.2 and 1.3 protocols.

Sponsored
Carbon Ads
$ cd /tools