FastDevTools

JWT Decoder

Decode and inspect JSON Web Tokens

JWT Token

Decoded

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

A JWT consists of three parts separated by dots (.):

  • Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256).
  • Payload: Contains the claims—statements about an entity (typically the user) and additional data like expiration time, issuer, and subject.
  • Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Example JWT structure: header.payload.signature

How to Use This Tool

  1. Paste JWT Token: Copy your JWT token from your application or API response and paste it into the input field. An example token is pre-loaded to demonstrate the tool.
  2. Decode Token: The tool automatically decodes the JWT on page load. Click "Decode JWT" to refresh or decode a new token.
  3. View Header: Inspect the header to see the algorithm used (e.g., HS256) and token type.
  4. Inspect Payload: View all claims in the payload, including user information, permissions, expiration time, and custom claims.
  5. Check Expiration: The tool automatically checks if the token has expired based on the "exp" claim and displays the expiration timestamp in a readable format.
  6. Copy Data: Use the copy buttons to grab the header or payload JSON for further analysis or debugging.

Common Use Cases

  • API Authentication: Debug authentication issues by inspecting JWT tokens sent in Authorization headers.
  • Token Debugging: Verify token contents, expiration times, and claims when troubleshooting login or access issues.
  • Development & Testing: Inspect test tokens to ensure they contain the correct claims and permissions.
  • Security Audits: Analyze JWT tokens to verify they're using strong algorithms and appropriate expiration times.
  • OAuth & SSO: Decode tokens from OAuth 2.0 flows or Single Sign-On (SSO) systems like Auth0, Okta, or Azure AD.
  • Mobile App Development: Inspect tokens used in mobile apps for API communication.
  • Microservices: Debug service-to-service authentication by examining JWT tokens passed between services.
  • Learning: Understand how JWTs work by decoding real-world tokens and seeing their structure.