{ "alg": "HS256", "typ": "JWT" }
{ "sub": "1234567890", "name": "John Doe" }
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: Header, Payload, and Signature, separated by dots.
How do I decode a JWT?
Simply paste your JWT token in the input field above. The decoder will automatically parse and display the header, payload, and signature information in a readable JSON format.
Is my JWT data secure?
Yes! All decoding happens entirely in your browser. Your JWT tokens never leave your device - no data is sent to any server.
What algorithms are supported?
For encoding, we support HS256, HS384, and HS512 (HMAC algorithms). For decoding, we can parse any JWT regardless of the algorithm used.
How do I verify a JWT signature?
Enter your secret key in the verification field. For HMAC algorithms (HS256/384/512), we'll verify the signature matches. For RSA/ECDSA, you'll need the public key.
What is the JWT header?
The header typically contains the token type ("JWT") and the signing algorithm (e.g., "HS256"). It's Base64URL encoded.
What is the JWT payload?
The payload contains claims - statements about the user and metadata. Common claims include sub (subject), exp (expiration), iat (issued at), and custom data.
Are JWTs encrypted?
Standard JWTs (JWS) are signed but NOT encrypted. Anyone can decode the payload. Never put sensitive data like passwords in a JWT. Use JWE for encrypted tokens.
What does "exp" mean in a JWT?
"exp" is the expiration time as a Unix timestamp. After this time, the token should be rejected. Our decoder shows this as a human-readable date.
Can I use this tool offline?
Yes! Once loaded, this tool works completely offline. All JWT encoding and decoding happens in your browser with JavaScript.