Tools
Word / Character CounterCase ConverterLorem Ipsum GeneratorJSON FormatterRegex TesterCron Expression ParserString Escape / UnescapeSQL Formatter
Merge PDFSplit PDFPDF to ImageImage to PDFCompress PDFUnlock PDF
Image EditorImage ConverterImage ResizerImage CropperOCR Text ExtractorImage Compressor
Hash GeneratorQR Code GeneratorPassword GeneratorColor Palette GeneratorRandom Number GeneratorUUID Generator
Base64 Encoder/DecoderURL Encoder/DecoderHTML Encoder/DecoderUnicode Encoder/DecoderASCII Encoder/Decoder
JSON ViewerCSV ViewerMarkdown ViewerJWT ViewerDiff Viewer
JSON → YAMLJSON → XMLJSON → TypeScriptJSON → CSVYAML → JSONCSV → JSONXML → JSONMarkdown → HTMLTOML → JSONUnix Timestamp ConverterJSON → TOMLUnit ConverterData Size ConverterHEX ↔ RGB Converter
Finance
Severance Pay Calculator
Daily
Tip CalculatorAge CalculatorElectricity Cost CalculatorDate CalculatorD-Day Calculator100-Day Anniversary CalculatorRelationship Days CalculatorTime CalculatorPercentage CalculatorRatio CalculatorAverage CalculatorDiscount Calculator
Health
Sleep CalculatorBMI CalculatorBMR CalculatorDaily Calorie CalculatorBody Fat CalculatorWater Intake Calculator
Study
GPA CalculatorExam Average Calculator
Utility
Area CalculatorVolume CalculatorSpeed CalculatorAspect Ratio Calculator

JWT Viewer

Decode JWT tokens to inspect Header and Payload.

Input
Ln:1 Col:1
Output
Enter a JWT token and click the Decode button.
Decoded

About JWT Decoder

JSON Web Tokens (JWT) are the industry standard for stateless authentication and authorization. Defined in RFC 7519, JWTs are used in OAuth 2.0 flows, OpenID Connect, API authentication headers (Bearer tokens), and session management across virtually every modern web application and microservice architecture.

JWT Structure Reference

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type, e.g. {"alg":"HS256","typ":"JWT"}), the Payload (claims about the user/entity), and the Signature (for verifying the token was not tampered with). Standard registered claims include iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before).

Critical security note: JWT payloads are Base64URL-encoded, not encrypted. Anyone who intercepts the token can decode and read the payload without the secret key. Never store sensitive data like passwords or PII in JWT claims. Always validate the exp claim before trusting a token. For sensitive payloads, use JWE (JSON Web Encryption, RFC 7516) instead. The alg: none attack — where an attacker strips the signature — is a known JWT vulnerability; always verify that your library enforces algorithm validation.

FAQ

Is JWT encrypted?
Standard JWT (JWS) is only signed — the payload is Base64-encoded, not encrypted. Anyone can decode and read the contents, so never include sensitive data. Use JWE (JSON Web Encryption) if encryption is needed.
What format is the JWT exp claim?
Unix timestamp in seconds. Example: 1700000000 is 2023-11-14T22:13:20Z. Note: it is in seconds, not milliseconds.
Is it safe to decode without signature verification?
Decoding itself is safe, but never trust the payload without signature verification. Servers must always verify the signature before using the data. This tool is for client-side decoding only.

Related Tools

Base64 Encoder/Decoder

Encode and decode Base64 strings.

JSON Viewer

Format and visualize JSON data in a tree structure.

Hash Generator

Generate SHA-1, SHA-256, SHA-384, SHA-512 hashes.

UUID Generator

Generate UUID v4 (random) and UUID v7 (timestamp-based).

JSON Formatter

Beautify or minify JSON data. Paste, format, and copy.