Claims are statements about an entity and additional data. Registered claims include iss (issuer), exp (expiration), sub (subject), and aud (audience).

JWT Decoder — Free Online JWT Inspector

Q: Does this tool verify the signature of the JWT?

No. This tool decodes and inspects the header and payload for debugging. Signature verification requires the server's secret key, which should never be pasted into a browser.

Q: Why is my JWT decoding as invalid?

Ensure you copied the entire token without extra spaces. A valid JWT must contain exactly two periods separating three Base64Url encoded segments.

Understanding JSON Web Tokens (JWT)

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

How does the JWT Decoder work?

A JWT token consists of three parts separated by dots (.): the Header, the Payload, and the Signature. Our JWT Decoder parses the Base64Url encoded strings of the Header and Payload to reveal the underlying JSON data. It displays the algorithm used, the standard claims (like issuer, subject, and audience), and most importantly, calculates whether the token has expired based on the exp (expiration time) claim.

Privacy & Security Guarantees

When working with authentication tokens, security is paramount. The SlashGit JWT Decoder operates entirely on the client-side within your browser. When you paste your token, the decoding is performed using local JavaScript. Your token is never logged, tracked, or sent to any remote server. You can inspect sensitive session tokens safely.

Frequently Asked Questions (FAQ)

Does this tool verify the signature of the JWT?

No. This tool is designed to decode and inspect the contents of the token (Header and Payload) for debugging purposes. It does not verify the cryptographic signature because doing so requires the server's private secret key, which should never be pasted into a web browser.

What are JWT claims?

Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: Registered, Public, and Private claims. Registered claims are predefined ones like iss (issuer), exp (expiration time), sub (subject), and aud (audience). Our tool extracts these claims and presents them in a clean, readable table.

Why is my JWT decoding as invalid?

If the decoder throws an error, ensure you have copied the entire token without any missing characters or extra spaces. A valid JWT must contain exactly two periods (.) separating the three Base64Url encoded segments.