JWT Decoder

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair (using RSA or ECDSA).

A JWT consists of three parts separated by dots (.), which are:

• Header: Contains metadata about the token, such as the signing algorithm (alg) and token type (typ)
• Payload: Contains the claims (statements about an entity and additional data)
• Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way

• iss: Issuer - identifies the principal that issued the JWT
• sub: Subject - identifies the principal that the JWT is about
• aud: Audience - identifies the recipients that the JWT is intended for
• exp: Expiration Time - identifies the expiration time on or after which the JWT must not be accepted
• iat: Issued At - identifies the time at which the JWT was issued
• nbf: Not Before - identifies the time before which the JWT must not be accepted

Important: This tool only decodes JWTs. It does not verify signatures or validate tokens.

• Always verify JWT signatures on the server side using the appropriate secret or public key
• Never share your JWT secret keys or private keys publicly
• Check token expiration (exp claim) before accepting tokens in production applications