What is a JWT?
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are commonly used for authentication and authorization in web applications and APIs. When a user logs in, the server typically issues a JWT that the client stores and sends with subsequent requests to prove identity.
A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims — user data, expiry time, issuer, etc.), and the Signature (cryptographic verification). This tool decodes the first two parts so you can inspect the contained information.
FAQ
Is it safe to paste my JWT here?
This tool decodes JWTs entirely in your browser — nothing is sent to our servers. However, you should never share JWTs containing sensitive user data in insecure environments. Treat production JWTs as secrets and use this tool only for debugging in development environments.
What is the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a shared secret key for both signing and verification. RS256 (RSA-SHA256) uses a private key for signing and a public key for verification — enabling signature verification without sharing the secret. RS256 is preferred for distributed systems where multiple services need to verify tokens.