Tool Forge
Free
Client-Side
JWT Decoder
Inspect any JSON Web Token — header, payload, claims, and expiration status. Runs entirely in your browser. Your token never leaves your device.
Privacy-first: All decoding runs locally in your browser using JavaScript. Your JWT is never transmitted to any server. Safe to use with production tokens.
JWT Token Input
Token Structure
Header
Payload
Signature (not verified)
Header
Payload
Claims Breakdown
Standard JWT registered claims
| Claim | Name | Value |
|---|
Signature
The signature is used by the token issuer to verify authenticity. Without the secret or public key, the signature cannot be validated here.
How This JWT Decoder Works
A JSON Web Token consists of three base64url-encoded sections separated by dots (.):
- Header — Describes the token type and the signing algorithm (e.g.,
HS256,RS256). - Payload — Contains the claims: assertions about the user or subject, plus any custom data.
- Signature — Created by the token issuer using the header, payload, and a secret or private key. Verifying it requires knowing the key.
This tool decodes the header and payload by reversing the base64url encoding and parsing the resulting JSON. The signature is displayed as-is but cannot be verified without the secret or public key.
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | Who the token is about (usually a user ID) |
| aud | Audience | Who the token is intended for |
| exp | Expiration Time | Unix timestamp when the token expires |
| nbf | Not Before | Token is invalid before this time |
| iat | Issued At | Unix timestamp when the token was issued |
| jti | JWT ID | Unique identifier for the token |