JWT Decoder & Inspector

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs consist of three parts: header, payload, and signature, separated by dots. They’re commonly used for authentication and information exchange in web applications.

This tool is completely safe because all decoding happens entirely in your browser. Your tokens never leave your device or get sent to any server. However, be very cautious with other online JWT tools that may send your tokens to their servers for processing. Always verify that tools are client-side only before using them with real tokens.

A JWT has three parts separated by dots:
1. Header contains metadata about the token, like the algorithm used for signing
2. Payload contains the claims or actual data you want to transmit
3. Signature ensures the token hasn’t been tampered with and verifies the sender

Check the ‘exp’ (expiration time) claim in the payload. This contains a Unix timestamp. If the current time is greater than this timestamp, the token is expired. This tool automatically shows expiration status and provides a countdown timer for active tokens.

HS256 (HMAC SHA-256) uses a symmetric algorithm where the same secret is used for both signing and verification. RS256 (RSA SHA-256) uses asymmetric encryption with a private key for signing and a public key for verification. RS256 is generally preferred for distributed systems since you can share the public key without compromising security.