FinMathFinMath

JWT Decoder

Paste a JSON Web Token to inspect its header and payload. Signature verification is not performed — that requires the issuer's secret or public key. Tokens never leave your browser.

Encoded Token

header.payload.signature

Header

Payload

    What is a JWT?

    A JSON Web Token (JWT, RFC 7519) is a compact way to transmit a set of claims between two parties. It is a string of three Base64URL-encoded parts joined by dots: header.payload.signature. The header declares the signing algorithm, the payload carries the claims (subject, expiration, custom fields), and the signature proves the token has not been tampered with. JWTs are widely used for authentication — typically as Authorization: Bearer <token> headers — and for OAuth 2.0 / OpenID Connect flows.

    Standard claims you will see

    • iss — issuer (who created the token)
    • sub — subject (usually the user ID)
    • aud — audience (who the token is for)
    • exp — expiration timestamp (Unix seconds)
    • iat — issued-at timestamp
    • nbf — not-before timestamp
    • jti — unique token ID

    Decoding is not verification

    Anyone can decode a JWT without knowing the secret — the signature only guards integrity, not confidentiality. The payload is plainly visible once Base64-decoded. Never put passwords, API keys, or PII in a JWT payload. And never trust an unverified JWT server-side: always check the signature using the issuer's secret (HMAC) or public key (RS256/ES256) before granting access.

    Privacy

    This decoder runs entirely in your browser tab. Nothing is logged, nothing is sent to our servers. That said, pasting production tokens anywhere online is generally unwise — if a token has been copied outside its trust boundary, rotate it.