JWT Decoder

Decode and inspect JSON Web Tokens (JWT) directly in your browser. View header, payload claims, and signature status without sharing your secret keys online.

Paste your JWT Token

About the JWT Decoder

The JWT Decoder by Coders Kit allows developers and security professionals to inspect the contents of JSON Web Tokens (JWTs) without the need for secret keys. Decode and view the Header and Payload sections instantly in your browser to verify claims, user roles, and expiration times. This tool runs entirely client-side, ensuring your tokens never leave your browser for maximum security.

Understanding JWT Structure

Header

The first part of the token, containing metadata about the type of token (typically "JWT") and the signing algorithm being used (e.g., HMAC SHA256 or RSA).

Payload (Claims)

The second part, which contains the claims. specific data about the user (like user ID, role, or name) and token properties (like issue time iat and expiration exp).

Signature

The third part is used to verify that the sender of the JWT is who it says it is and to ensure that the message was not changed along the way. Note: We do not verify signatures here as that requires your private key.

Frequently Asked Questions (FAQ)

Is it safe to paste my JWT here?: Yes. This tool is client-side only. Your tokens are processed locally in your browser using JavaScript and are never sent to any server. You can inspect the network traffic to verify.
What do 'exp', 'iat', and 'iss' mean?: These are standard claims:
exp (Expiration Time): When the token expires.
iat (Issued At): When the token was created.
iss (Issuer): The entity that issued the token.
Can I edit the JWT payload?: Technically yes, but editing the payload invalidates the signature. If you try to use a tampered token on a secure server, it will be rejected unless you can re-sign it with the correct secret key.