A JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It consists of three parts: header (algorithm), payload (claims/data), and signature. JWTs are the standard for API authentication.

Is it safe to decode a JWT?

Decoding a JWT reveals its contents but does not compromise security — the payload is base64-encoded, not encrypted. The security lies in the signature verification. However, never expose JWTs containing sensitive data in URLs or client-side logs.

Claims are statements about the user and metadata. Standard claims include: iss (issuer), sub (subject), exp (expiration), iat (issued at), and aud (audience). Custom claims can contain any application-specific data like user roles.

How long should a JWT token last?

Access tokens should expire in 15-30 minutes for security. Refresh tokens can last 7-30 days. Short-lived access tokens limit damage if compromised, while refresh tokens provide a smooth user experience without frequent re-authentication.

Is it safe to decode a JWT here?

Yes! This tool runs entirely in your browser. Your token is never sent to any server. You can verify this in your browser's network tab.

What does token expiration mean?

The 'exp' claim in a JWT indicates when the token expires. After this time, the token should be rejected by the server.

🎫 JWT Decoder

Decode JSON Web Tokens (JWT) to inspect header, payload, and signature — entirely in your browser.

Decodes JSON Web Tokens showing header, payload, and signature without requiring the secret key, for debugging auth flows.

Key Facts

Standardized in RFC 7519 (2015)
80%+ of modern APIs use JWT
Three parts separated by dots (.)
Common algorithms: HS256, RS256

Frequently Asked Questions

What is a JWT?

Compact, URL-safe token with header (algorithm), payload (claims), and signature for API authentication.

Is decoding JWT safe?

Yes — payload is base64-encoded, not encrypted. Security is in signature verification, not content hiding.

What are JWT claims?

Statements about user: iss (issuer), sub (subject), exp (expiration), iat (issued at), aud (audience).

How long should JWT last?

Access tokens: 15-30 min. Refresh tokens: 7-30 days. Short-lived limits damage if compromised.

🎫 JWT Decoder

What is a JSON Web Token (JWT)?

JWT Structure

Frequently Asked Questions

Key Facts

Frequently Asked Questions

🎫 JWT Decoder

What is a JSON Web Token (JWT)?

JWT Structure

Frequently Asked Questions

Key Facts

Frequently Asked Questions

Related Developer Tools