JWT Decoder
Securely decode JWTs within the browser. Input data is never sent externally.
📖View JWT Structure and Registered Claims
JWT Basic Structure
A JWT consists of three parts separated by dots (.), which are Base64Url encoded.
- Header: Specifies the token type (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload: Contains the claims, which are statements about an entity (typically, the user) and additional data.
- Signature: Used to verify the message wasn't changed along the way, generated using the encoded header, encoded payload, a secret, and the algorithm specified in the header.
Registered Claims
A set of predefined claims defined in RFC 7519.
- •
iss(Issuer): Identifies the principal that issued the JWT. - •
sub(Subject): Identifies the principal that is the subject of the JWT. - •
aud(Audience): Identifies the recipients that the JWT is intended for. - •
exp(Expiration Time): Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. - •
nbf(Not Before): Identifies the time before which the JWT MUST NOT be accepted for processing. - •
iat(Issued At): Identifies the time at which the JWT was issued. - •
jti(JWT ID): Provides a unique identifier for the JWT.
Security Warning
The JWT payload is simply Base64Url encoded, not encrypted. Anyone can decode and read the contents. Never include sensitive data like passwords or PII in the payload.
JWT Input
About Security
All processing is performed safely inside your browser. The input JWT is never sent to external servers.