Does this tool verify the JWT signature?

No. This tool only decodes the Base64-encoded header and payload for inspection. Signature verification requires the secret key or public key and should always be done server-side.

Is it safe to paste my JWT here?

Yes. Everything runs 100% in your browser. The JWT is never sent to any server. You can verify this by checking the Network tab in your browser's developer tools.

ByteBox / Tools / JWT Decoder

JWT Decoder & Inspector

Paste a JSON Web Token to decode its header, payload, and check expiration — all locally.

Last updated: May 10, 2026

Paste JWT

This tool only decodes the JWT. It does not verify the signature — server-side validation is required for security.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are compact, URL-safe tokens commonly used for authentication, authorization, and information exchange in web applications and APIs. They are especially prevalent in OAuth 2.0 and OpenID Connect flows, where they serve as access tokens, ID tokens, and refresh tokens. Because JWTs are self-contained — carrying all necessary information within the token itself — they reduce the need for repeated database lookups and enable stateless authentication architectures.

JWT Structure Explained

A well-formed JWT consists of three Base64URL-encoded segments separated by dots (header.payload.signature). Each segment serves a distinct purpose:

Header (first segment) — A JSON object containing metadata about the token, typically the signing algorithm (alg, e.g. HS256, RS256) and the token type (typ, usually JWT).
Payload (second segment) — A JSON object containing the claims. These are statements about the subject (user) and additional metadata. Claims can be registered (standardized), public, or private.
Signature (third segment) — A cryptographic hash generated by combining the encoded header, encoded payload, and a secret key (HMAC) or private key (RSA/ECDSA). The signature ensures the token has not been tampered with.

When you paste a JWT into this tool, the header and payload are Base64-decoded and displayed as formatted JSON. You can also use the JSON Formatter to further explore the decoded structure, or the Base64 Encoder/Decoder to inspect the raw encoding of each segment.

Common JWT Claims

The JWT specification defines several registered claim names that are widely used across authentication and authorization implementations:

sub (Subject) — Identifies the principal that is the subject of the JWT, such as a user ID or email address. This claim is usually unique within the issuing context.
iss (Issuer) — Identifies the principal that issued the JWT, typically a URL like https://auth.example.com.
aud (Audience) — Identifies the recipients the JWT is intended for. Each intended recipient should verify that the audience claim includes its own identifier.
exp (Expiration) — A Unix timestamp after which the JWT must be rejected. This tool highlights expired tokens with a prominent visual warning.
nbf (Not Before) — A Unix timestamp before which the JWT must not be accepted, useful for tokens that should not be processed until a specific time.
iat (Issued At) — A Unix timestamp identifying when the JWT was issued, displayed by this tool as a human-readable date and time.
jti (JWT ID) — A unique identifier for the JWT, used to prevent replay attacks by ensuring each token can only be used once.

Applications can also include custom claims (e.g., name, email, role, permissions) to carry application-specific data. This tool automatically detects and displays common registered claims alongside any custom claims present in the token for easy inspection.

Was this useful?

Report / Suggest

JWT Decoder & Inspector

What is a JWT?

JWT Structure Explained

Common JWT Claims

Related Tools