jwt decoder

paste · decode · read. all local, nothing sent.

A JWT (JSON Web Token) has three base64url parts separated by dots: header.payload.signature. The header and payload are just base64url-encoded JSON — anyone can read them (they are not encrypted). The signature is a hash of the first two parts using a secret; it's what lets a server verify the token wasn't tampered with. If you're passing secrets in a JWT payload: don't.

jwt token

standard claims (rfc 7519)

ississuer — who created the token

subsubject — who the token is about (usually a user id)

audaudience — who the token is for

expexpiration — unix timestamp; server rejects after this

nbfnot before — unix timestamp; server rejects before this

iatissued at — unix timestamp when token was made

jtijwt id — unique identifier for replay prevention