JWT Decoder

A JWT (JSON Web Token) has three base64url-encoded parts: header.payload.signature. The header and payload are JSON; the signature verifies integrity and authenticity.

• Header: algorithm (alg), type (typ = JWT).
• Payload: claims like iss, sub, aud, exp, iat, nbf, and custom fields.
• Signature: ensures the token wasn’t tampered with.

Base64url vs Base64

JWT uses base64url, which replaces +// with -/_ and omits padding. Decoding requires normalizing these characters and adding padding if needed.

Security note

This tool only decodes JWTs; it does not verify signatures or validate issuer/audience. For verification, use your server or a trusted library with your signing keys or JWKS.

Common claims

• iss (issuer), sub (subject), aud (audience)
• exp (expiration, seconds since epoch), iat (issued at), nbf (not before)
• jti (token ID), scope / roles (custom)