Developer Token Tool
JWT Decoder Online
Decode JSON Web Tokens, inspect header and payload claims, check issued and expiry dates, and copy decoded JSON. Decoding happens locally in your browser and does not verify the signature.
Privacy note: QuickDeveloperTools decodes JWT text in your browser. Do not paste production tokens unless your organization allows it.
Header
Decode a JWT to view its header JSON.Payload
Decode a JWT to view its payload claims.Token Information
- Issued At
- Not available
- Expires At
- Not available
- Not Before
- Not available
- Subject
- Not available
- Claim Name
- Not available
- Audience
- Not available
- Algorithm
- Not available
- Token Validity
- Signature not verified locally
This tool decodes JWT tokens locally in your browser. It does not verify the signature. Do not use it to validate token authenticity.
JWT Token Expiry and Issued Dates
Issued: Not available
Expires: Not available
JWT Signature Safety Note
Use this for debugging claims. Signature validation must happen in your backend or auth library.
Related Tools
Decode JWT in JavaScript
This browser snippet decodes the JWT payload for inspection. It does not verify the signature.
const [, payload] = token.split(".");
const json = JSON.parse(
atob(payload.replace(/-/g, "+").replace(/_/g, "/"))
);JWT Security Reminder
JWT decoding is not signature verification. If the token protects real access, verify it with the correct secret or public key in your backend.
JWT Decoder FAQ
JSON Web Token Questions
What is JWT?
JWT stands for JSON Web Token. It is a compact, URL-safe token format used to securely transmit information between parties.
What is a JWT Decoder?
A JWT Decoder reads and displays the contents of a JWT token, including its header, payload and signature information.
How do I decode a JWT token?
Paste the JWT token into the decoder to view its decoded header and payload.
What is JWT used for?
JWT is commonly used for authentication, authorization, API security and user session management.
What are the three parts of a JWT?
A JWT consists of a Header, Payload and Signature separated by dots.
What is the JWT header?
The JWT header contains metadata about the token, including the signing algorithm and token type. Example: {"alg":"HS256","typ":"JWT"}. Here, alg specifies the signing algorithm and typ indicates that the token is a JWT.
What is the JWT payload?
The payload contains claims or data stored inside the token. Example: {"sub":"123","name":"John Doe","role":"Admin"}. Applications commonly store user IDs, usernames and roles in the payload.
What is the JWT signature?
The signature is used to verify that the token has not been modified. It is generated using the encoded header, payload and a secret key or private key. If the payload changes, the signature becomes invalid.
What are JWT claims?
Claims are pieces of information stored in the JWT payload. Examples include user ID, username, roles, expiration time and issuer details.
Can I read a JWT without a secret key?
Yes. The header and payload can be decoded without the secret key, but the signature cannot be verified.
Can a JWT Decoder verify a token?
A decoder can display token contents. Signature verification requires the appropriate secret key or public key.
Is JWT encrypted?
No. Standard JWTs are Base64Url encoded, not encrypted. Anyone with the token can decode its contents.
What is the difference between encoding and encryption?
Encoding makes data readable in a specific format, while encryption protects data so only authorized parties can read it.
Can sensitive data be stored in a JWT?
Sensitive information should generally not be stored in JWT payloads because they can be easily decoded.
What is Base64Url encoding in JWT?
JWT uses Base64Url encoding to safely transmit data in URLs and HTTP headers.
What does the 'alg' field mean in JWT?
The 'alg' field specifies the algorithm used to sign the token, such as HS256 or RS256.
What is HS256 in JWT?
HS256 stands for HMAC SHA-256. It uses a shared secret key to both sign and verify the token. The same secret must be known by both the issuer and verifier.
What is RS256 in JWT?
RS256 uses RSA public-key cryptography. A private key signs the token, while a public key verifies it. This is commonly used in enterprise and OAuth systems.
What is the 'sub' claim in JWT?
The sub (subject) claim identifies the user or entity associated with the token. Example: "sub":"12345" where 12345 is the user unique ID.
What is the 'iss' claim in JWT?
The iss (issuer) claim identifies who created the token. Example: "iss":"https://api.example.com".
What is the 'aud' claim in JWT?
The aud (audience) claim identifies the intended recipient of the token. Example: "aud":"my-web-app".
What is the 'exp' claim in JWT?
The exp (expiration time) claim specifies when the token expires. Example: "exp":1735689600. After this time, the token should no longer be accepted.
What is the 'iat' claim in JWT?
The iat (issued at) claim records when the token was created. Example: "iat":1735603200.
What is the 'nbf' claim in JWT?
The nbf (not before) claim specifies when the token becomes valid. Example: "nbf":1735603200. Before this time, the token should not be accepted.
How can I check if a JWT is expired?
Decode the token and inspect the exp claim. If the current timestamp is greater than the exp value, the token has expired.
What happens when a JWT expires?
The token becomes invalid and users typically need to log in again or use a refresh token.
Can JWTs be revoked?
JWTs are stateless by design, but applications can implement revocation lists or token blacklisting.
What is a Refresh Token?
A refresh token is used to obtain a new access token without requiring the user to log in again.
What is an Access Token?
An access token grants temporary access to protected resources and APIs.
Why are JWTs popular in APIs?
JWTs are self-contained and stateless. The server does not need to store session data because user information and claims travel with the token.
How is a JWT sent to an API?
JWTs are typically sent in the HTTP Authorization header. Example: Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
What does 'Bearer Token' mean?
A bearer token grants access to whoever possesses it. Example: if an API receives Authorization: Bearer <token>, the token is used to authenticate the request.
Can I modify a JWT payload?
Yes, but modifying the payload changes the token data and invalidates the signature. The token must be re-signed using the correct key.
Why does JWT use dots (.)?
Dots separate the Header, Payload and Signature sections of the token.
What does a JWT look like?
A JWT consists of three Base64Url encoded parts separated by dots. Example: eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiSm9obiJ9.signature
Can JWTs be used with OAuth 2.0?
Yes. Many OAuth 2.0 and OpenID Connect providers issue JWT access tokens that contain user and authorization information.
Can JWTs be used with ASP.NET Core?
Yes. ASP.NET Core provides built-in JWT Bearer Authentication middleware for validating and authorizing JWT tokens.
Can JWTs be used with Node.js?
Yes. JWT libraries are available for Node.js and most modern programming languages.
Why does my JWT say 'Invalid Signature'?
The token may have been modified, corrupted or verified using the wrong secret or public key.
Can a JWT Decoder see passwords?
Only if someone incorrectly stores passwords in the payload. Passwords should never be included in JWTs.
Is it safe to paste a JWT into a decoder?
Use trusted tools. A secure JWT Decoder should process the token locally in your browser without storing it.
Does the QuickDeveloperTools JWT Decoder upload my token?
No. The decoder processes JWT tokens locally in your browser and does not require login.
Do I need an account to use the JWT Decoder?
No. The QuickDeveloperTools JWT Decoder is free to use and does not require registration.