Decode and analyze JWT tokens online
JWT (JSON Web Token) is a standard for creating access tokens, consisting of three parts separated by dots.
Header — contains information about the signing algorithm (alg) and token type (typ).
Payload — contains data (claims) — user identifier, roles, token issuance and expiration time, and other fields.
Signature — the signature that ensures token integrity. Displayed in hexadecimal format.
If the payload contains an "exp" (expiration) field, the tool will automatically show whether the token has expired or is still valid, and the remaining time.
Decoding is performed on the client — the token is not sent to a server.
JWT Decoder Online — Token Decoding with Color Coding
JSON Web Token (JWT) is a compact, secure way to transmit data between parties as a JSON object. Our decoder splits the token into three color-coded parts, displays all claims with explanations, and shows a summary (algorithm, expiration, issuer).
JWT Token Structure
JWT consists of three dot-separated parts: Header.Payload.Signature
- Header — signing algorithm and token type. Base64url-encoded JSON
- Payload — claims: user info, expiration, permissions
- Signature — cryptographic signature for authenticity verification
Standard Claims (RFC 7519)
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Token issuer |
sub | Subject | Subject (user ID) |
exp | Expiration | Expiry time (Unix timestamp) |
iat | Issued At | Token issuance time |
jti | JWT ID | Unique token identifier |
Signing Algorithms
| Algorithm | Type | Use case |
|---|---|---|
| HS256 | HMAC-SHA256 (symmetric) | Microservices with shared secret |
| RS256 | RSA-SHA256 (asymmetric) | OAuth 2.0, public APIs |
| ES256 | ECDSA-SHA256 (asymmetric) | Mobile apps, IoT |
JWT Security
- Decoding ≠ verification — our tool decodes without verifying the signature
- Don't store secrets in payload — payload is only Base64-encoded, not encrypted
- Set short exp — access token: 15–60 min, refresh token: 7–30 days
Frequently Asked Questions
How is JWT different from session cookies?
Sessions are server-side, JWTs are client-side. JWT is stateless, ideal for microservices.
Can JWT be edited?
The payload can be changed, but the signature becomes invalid and the server will reject it.
Is it safe to paste JWT here?
Decoding happens in the browser — the token is not sent to a server.
For Base64 encoding use the Base64 encoder, for hashing — Hash generator.
Useful articles
WCAG Color Contrast: Website Accessibility Guide
A complete guide to color contrast: WCAG 2.1 standards, AA and AAA levels, calculation formula, practical examples of good and bad contrast, and how to fix accessibility issues.
CSS Border Radius: Rounding Element Corners
How to use border-radius: syntax, shorthand notation, elliptical corners. Online border-radius generator.