A JWT is not encrypted, only encoded, so its data is readable. Its security comes from the signature, which verifies that the token has not been altered. You should never put sensitive, unencrypted information in the payload of a JWT.

JWT Decoder - Decode and Verify JWTs Online

Q: What are the three parts of a JWT?

A JWT has three Base64-Url encoded parts: 1. The Header, which contains metadata like the signing algorithm. 2. The Payload, which contains claims and data. 3. The Signature, which is used to verify the token's authenticity.

Q: How does signature verification work?

The signature is created by signing the encoded header and payload with a secret key. To verify it, our tool performs the same calculation with the secret key you provide. If the signatures match, the token is authentic.

Tools

JWT Decoder

Add to Favorites Remove from Favorites

Encoded Token

Signature Secret (HMAC)

Load Sample Clear

Header Copy

Payload Copy

Signature

Enter a token to see details

About the JWT Decoder

We built this JWT Decoder for developers who need to quickly inspect and validate JSON Web Tokens. JWTs are a compact and self-contained way for securely transmitting information between parties, but they are encoded and can be hard to read. Our tool lets you paste in a token and instantly see the contents of the header and payload, and it can also verify the signature against a secret key.

How to Use the Tool

Paste your full JWT into the "Encoded Token" input box on the left.
The Header and Payload will be automatically decoded and displayed on the right.
To verify the signature, enter your secret key into the "Signature Secret" field. The status will update in real-time.
You can copy the decoded JSON from the Header or Payload using the "Copy" buttons in each section.
Click "Load Sample" to see a valid JWT and its correct secret to understand how verification works.

Frequently Asked Questions

What is a JWT (JSON Web Token)?

A JWT is a standard used to create access tokens for an application. It consists of three parts separated by dots: a Header, a Payload, and a Signature. The header contains metadata about the token (like the algorithm), and the payload contains the claims or data (like user ID and permissions). The signature is used to verify that the token hasn't been tampered with.

What are the three parts of a JWT?

A JWT is made of three Base64-Url encoded strings separated by dots:

Header: Contains the token type (JWT) and the signing algorithm being used, such as HMAC SHA256 (HS256) or RSA.
Payload: Contains the "claims," which are statements about an entity (typically, the user) and additional data.
Signature: A cryptographic signature created by signing the encoded header and payload with a secret key. It's used to verify the token's authenticity.

Is a JWT secure?

A JWT is not encrypted; it is only encoded. This means anyone who intercepts the token can easily see the data inside the header and payload. Its security comes from the signature. The signature ensures that the token has not been altered in transit. Therefore, you should never put sensitive, unencrypted information in the payload of a JWT.

How does signature verification work?

To create the signature, the encoded header and payload are combined with a secret key using a cryptographic algorithm (like HMAC-SHA256). To verify it, our tool performs the same calculation with the secret key you provide. If the signature we generate matches the one in the token, the token is authentic. If they don't match, it means either the token was tampered with or the secret key is wrong.

Is this tool safe to use with my secret keys?

Yes. This tool is built with JavaScript and runs entirely in your web browser. All decoding and signature verification happens on your own computer. Your JWTs and secret keys are never sent to our servers, ensuring your data remains completely private and secure.