JWT Inspector & Decoder
Decode JWT header and payload, inspect claims and timestamps, and review token structure instantly.
Back to all tools on ToolForge
Header
Payload
Token Info
About JWT Inspector & Decoder
This JWT inspector decodes JSON Web Tokens entirely in your browser, displaying the header, payload, and token metadata without sending any data to a server. It's designed for developers who need to quickly inspect token contents during authentication debugging.
JWT Structure
A JWT consists of three Base64Url-encoded parts separated by dots:
Header.Payload.Signature Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header Contents
The header typically contains two fields:
- alg: The signing algorithm (e.g., HS256, RS256, ES256)
- typ: The token type, usually "JWT"
Payload Claims
The payload contains claims (statements about an entity and additional data):
- Registered claims: Standard fields like
iss(issuer),sub(subject),aud(audience),exp(expiration),nbf(not before),iat(issued at),jti(JWT ID) - Public claims: Custom fields defined by your application (e.g.,
userId,role,email) - Private claims: Custom claims agreed upon between parties
Common JWT Algorithms
| Algorithm | Type | Key Required |
|---|---|---|
HS256 |
HMAC + SHA-256 | Symmetric (shared secret) |
RS256 |
RSA + SHA-256 | Asymmetric (private/public key pair) |
ES256 |
ECDSA + P-256 | Asymmetric (elliptic curve) |
none |
No signature | Not recommended for production |
Security Notes
- Decoding ≠ Verification: Anyone can decode a JWT. The signature must be verified to trust the contents.
- Never trust unsigned tokens: Tokens with
"alg": "none"have no signature and can be forged. - Check expiration: Always validate the
expclaim on your server. - Use HTTPS: JWTs transmitted over HTTP can be intercepted and reused.
Example JWT Payload
{
"sub": "user-12345",
"name": "John Doe",
"email": "[email protected]",
"role": "admin",
"iat": 1710000000,
"exp": 1710086400
}
How to Inspect a JWT Token
- Paste your JWT: Copy the full JWT token (all three parts separated by dots) into the input box.
- Click "Inspect JWT": The tool will decode the Base64Url-encoded header and payload sections.
- Review the contents: Examine the header (algorithm, token type), payload (claims, user data), and token info (expiration status, timestamps).
- Copy or clear: Click "Copy Inspection" to copy the decoded contents, or clear the input to inspect another token.
Understanding the Output
Header: Shows the signing algorithm and token type as JSON.
Payload: Displays all claims including user data and timestamps in readable JSON format.
Token Info: Shows expiration status, human-readable dates for timestamp claims, and whether a signature is present.
Example JWT
You can test with this sample JWT (HS256, expired):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Frequently Asked Questions
- What is a JWT and how is it structured?
- A JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It consists of three parts separated by dots: Header (algorithm and token type), Payload (claims and data), and Signature (verification). The format is: xxxxx.yyyyy.zzzzz where each part is Base64Url encoded.
- Can this tool verify JWT signatures?
- This tool decodes and displays JWT header and payload contents, but does not verify signatures. Signature verification requires the original secret key (for HMAC) or public key (for RSA/ECDSA) and should be done on your server. Never share your secret keys with online tools.
- What do exp, iat, and nbf claims mean?
- These are standard JWT timestamp claims: 'exp' (expiration time) - token expires after this time, 'iat' (issued at) - when the token was created, 'nbf' (not before) - token is invalid before this time. All are Unix timestamps in seconds.
- Is it safe to decode JWTs with online tools?
- This tool runs entirely in your browser - tokens are never sent to any server. However, avoid pasting production tokens with sensitive claims or long validity periods. For highly sensitive tokens, use offline tools or inspect them directly in your application code.
- What algorithms are commonly used for JWT signing?
- Common JWT algorithms include: HS256 (HMAC with SHA-256, symmetric key), RS256 (RSA with SHA-256, asymmetric), ES256 (ECDSA with P-256 and SHA-256), and none (unsigned, not recommended). The algorithm is specified in the token header.
- Why is my JWT showing as invalid or malformed?
- Common causes include: missing parts (JWT must have 3 dot-separated sections), invalid Base64Url encoding, extra whitespace or characters, or using an unsupported algorithm. Ensure you copied the complete token including all three parts.