PXLTools

JWT Decoder

Decode and inspect JSON Web Tokens

How to use JWT Decoder

  1. Paste your JWT into the input field above. A JWT has three parts separated by dots.
  2. The tool decodes the header and payload and highlights standard claims.
  3. Check the expiration (exp) claim to see if the token is still valid.
  4. The signature is shown but not verified — signature verification requires the secret or public key and should be done on your backend.

What are JSON Web Tokens?

JSON Web Tokens (JWTs) are a compact, URL-safe way to represent claims between two parties. A JWT is made of three parts — header, payload, and signature — each base64url-encoded and separated by dots.

JWTs are widely used for authentication: when a user logs in, the server issues a JWT containing the user ID and expiration. The client sends this token on subsequent requests, and the server verifies the signature to confirm the token is genuine.

Because payload data is base64-encoded (not encrypted), anyone can read it. Never put sensitive data in a JWT payload. For protection against tampering, rely on the signature — that is what prevents forgery when the secret key is properly kept private.

Frequently Asked Questions

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It consists of three dot-separated Base64URL-encoded parts: header (algorithm info), payload (the claims), and signature (for verification). JWTs are commonly used for authentication and information exchange in APIs.
Can I verify the signature of a JWT here?
No. Signature verification requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA). For your security, we do not prompt for or transmit secret keys. Verify signatures in your backend or a trusted environment.
Are JWTs encrypted?
Standard JWTs (JWS) are signed but not encrypted. The payload is base64url-encoded, which is easily decoded by anyone. Never put sensitive data (passwords, private keys) in a JWT payload. If you need encryption, use JWE (JSON Web Encryption).
What are common JWT claims?
Standard claims include iss (issuer), sub (subject, usually the user ID), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (unique token ID). Custom claims can also be added — they should typically use a namespaced key to avoid collisions.
Is the JWT data sent to any server?
No. All decoding happens locally in your browser. We never receive, log, or store the tokens you paste here.