Does decoding a JWT verify it?

No. Decoding only reads the token contents. Verification requires checking the signature with the correct secret or public key.

Most JWTs are encoded and signed, not encrypted. Anyone with the token can usually decode the header and payload.

Is it safe to paste a JWT into this tool?

JWTs can be credentials. Avoid pasting live access tokens, refresh tokens, ID tokens, or session tokens into any online tool unless you trust the environment.

What are the three parts of a JWT?

A JWT usually has header, payload, and signature parts separated by dots.

What does the exp claim mean?

The exp claim is the expiration time, usually stored as a Unix timestamp in seconds.

What does alg mean in a JWT header?

The alg field identifies the signing algorithm, such as HS256 or RS256.

What is the difference between an access token and an ID token?

An access token is used to access APIs, while an ID token contains identity information for the client application.

Can I trust a decoded JWT?

You should only trust a JWT after verifying its signature and validating claims such as issuer, audience, and expiration.

Does this tool store my token?

This browser-based BlinkCalc tool is designed to decode JWTs locally and should not store user input.

JWT Decoder - Decode JSON Web Tokens Online

JWT inspection tool

Decode and inspect a JSON Web Token

Paste a JWT to decode the Base64URL header and payload as JSON. Signature verification is not performed.

JWT input

Paste a JWT here. A leading Bearer prefix is accepted.

JWTs can be credentials. Avoid pasting live access tokens, refresh tokens, ID tokens, session tokens, or secrets into online tools unless you trust the environment.

Token status

Decoded

JWT decoded locally. Signature verification is not performed.

Quick claim summary

Algorithm: HS256

Issuer: https://auth.example.com

Subject: 1234567890

Audience: blinkcalc-api

Expiration: Expires: 01/01/2100, 00:00:00 (2100-01-01T00:00:00.000Z)

Primary status

Decoded

JWT decoded locally. Signature verification is not performed.

Algorithm

HS256

JWT header alg value.

Token type

JWT

JWT header typ value.

Issuer

https://auth.example.com

iss claim if present.

Subject

1234567890

sub claim if present.

Audience

blinkcalc-api

aud claim if present.

Expiration status

Expires: 01/01/2100, 00:00:00 (2100-01-01T00:00:00.000Z)

Based on exp or nbf claims.

Claim count

10

Payload claims detected.

Segment count

3

Standard signed JWTs have 3 segments.

Copy decoded header

Copy the formatted JWT header JSON for debugging or documentation.

Copy decoded payload

Copy the formatted payload claims as readable JSON.

Copy full summary

Copy status, claims, header, payload, signature, and verification reminder.

Privacy note

JWT decoding is designed to happen locally in your browser without sending tokens to a server.

Security note

Decoding does not verify the signature. Verify tokens separately before trusting them.

Token safety note

Avoid pasting live access tokens, refresh tokens, ID tokens, session tokens, or secrets.

Decoded header

The header describes the token type, signing algorithm, and optional key metadata.

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "blinkcalc-demo"
}

Decoded payload

The payload contains claims about identity, authorization, issuer, audience, and timing.

{
  "iss": "https://auth.example.com",
  "sub": "1234567890",
  "aud": "blinkcalc-api",
  "name": "Jane Doe",
  "scope": "read:profile write:notes",
  "roles": [
    "developer",
    "admin"
  ],
  "iat": 1516239022,
  "nbf": 1516239022,
  "exp": 4102444800,
  "jti": "demo-token-1"
}

Signature segment

The signature is used to verify token integrity. This decoder displays the signature segment but does not verify it.

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Claims breakdown

Common JWT claims with readable values and meanings.

iss

https://auth.example.com

Issuer that created the token.

sub

1234567890

Subject, usually the user or entity identifier.

aud

blinkcalc-api

Audience that the token is intended for.

name

Jane Doe

Custom application-specific claim.

scope

read:profile write:notes

Space-separated permissions or OAuth scopes.

roles

developer, admin

Application-specific authorization roles.

iat

18/01/2018, 01:30:22 (2018-01-18T01:30:22.000Z)

Issued-at time as a Unix timestamp in seconds.

nbf

18/01/2018, 01:30:22 (2018-01-18T01:30:22.000Z)

Not-before time as a Unix timestamp in seconds.

exp

01/01/2100, 00:00:00 (2100-01-01T00:00:00.000Z)

Expiration time as a Unix timestamp in seconds.

jti

demo-token-1

JWT ID, often used as a unique token identifier.

Practical JWT examples

Common JWT concepts developers inspect during authentication debugging.

Basic JWT structure

A JWT usually contains three dot-separated parts: header, payload, and signature.

header.payload.signature

Header example

The header commonly includes alg, typ, and sometimes kid.

{ "alg": "RS256", "typ": "JWT", "kid": "key-1" }

Payload claims example

The payload contains claims about identity, authorization, and timing.

{ "iss": "https://auth.example.com", "sub": "123", "aud": "api", "exp": 4102444800 }

Expired token warning

If exp is earlier than the current time, clients should treat the token as expired.

{ "exp": 1516239022 }

Signature verification warning

Decoding is not verification. Verify signatures separately before trusting token contents.

Use the correct secret or public key in your backend or auth library.

Access token vs ID token

Access tokens are for APIs. ID tokens describe identity information for client applications.

{ "scope": "read:profile", "email": "user@example.com" }

JWT quick reference

Header

Describes algorithm and token type.

Payload

Contains claims.

Signature

Used for verification.

alg

Signing algorithm.

iss

Issuer.

sub

Subject.

aud

Audience.

exp

Expiration time.

nbf

Not-before time.

iat

Issued-at time.

Base64URL

Encoding used by JWT segments.

Decode vs verify

Decoding is not trust verification.

Developer guide

Decode JWTs without confusing decoding for verification

JWT decoding helps developers inspect authentication and authorization claims, but decoded token contents should not be trusted unless the signature and claims are verified.

What is a JWT Decoder?

A JWT Decoder reads the Base64URL-encoded header and payload of a JSON Web Token and displays them as formatted JSON.

What is a JSON Web Token?

A JWT is a compact token format commonly used in authentication and authorization systems. It usually contains three dot-separated parts: header, payload, and signature.

JWT parts explained

The header describes the token type and algorithm. The payload contains claims. The signature helps verify that the token was issued by a trusted party and was not modified.

Decode vs verify

Decoding only reads token contents. Verification checks the signature using a secret or public key. A decoded token should not be trusted unless it is verified.

When developers use a JWT Decoder

Use it for API authentication debugging, OAuth and OIDC flows, checking expiration, issuer, audience, subject, scopes, roles, and ID token payloads.

Privacy and security

JWTs are often credentials. Avoid pasting live production tokens into online tools unless you trust the environment. JWT payloads are encoded, not encrypted by default.

Common JWT mistakes

Trusting decoded tokens without verifying the signature.

Pasting live production tokens into online tools.

Ignoring token expiration.

Confusing access tokens and ID tokens.

Storing sensitive data inside JWT payloads.

Using weak signing secrets.

Accepting alg: none.

Not validating issuer, audience, and expiration.

Assuming Base64URL encoding is encryption.

How to use this JWT Decoder

1Paste a JWT into the input box.
2Click Decode JWT or enable automatic decoding.
3Review the decoded header, payload, claims, and signature segment.
4Check expiration, issuer, audience, and subject values.
5Copy the decoded header or payload if needed for debugging.
6Verify the token separately before trusting it.

Why developers use a JWT Decoder

Inspect authentication claims quickly.

Debug OAuth and OIDC flows.

Check token expiration.

Review scopes, roles, and permissions.

Confirm issuer and audience.

Understand token structure.

Avoid manual Base64URL decoding mistakes.

Share readable claim summaries with teammates.

JWT Decoder FAQs

It decodes the Base64URL-encoded header and payload of a JSON Web Token and displays them as readable JSON.

Related tools

More tools to try

Base64 Encoder and Decoder

JSON Formatter

JSON Validator

Hash Generator

URL Encoder / Decoder