Toolzi LogoToolzi

JWT Decoder / Encoder

Decode and inspect JWT tokens instantly, or create signed JWTs. 100% client-side.

All processing is done entirely in your browser. No data is sent to any server.

What is JWT (JSON Web Token)?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It is commonly used for authentication and information exchange in web applications. A JWT is Base64URL-encoded — not encrypted — so anyone can read the payload. Never store sensitive information in a JWT without encryption.

JWT Structure

Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

HeaderPayloadSignature

Header

Contains the token type (typ) and the signing algorithm (alg), such as HS256 or RS256.

Payload

Contains claims — statements about the user and additional metadata such as exp (expiration), iat (issued at), and sub (subject).

Signature

The signature is created by signing the encoded header and payload with a secret key. It verifies that the token has not been tampered with.

Standard Claims

ClaimStandard Claims
issIssuer
subSubject
audAudience
expExpiration
iatIssued At
nbfNot Before
jtiJWT ID

FAQ

Is JWT encrypted?
No. A standard JWT (JWS) is only signed, not encrypted. The payload is Base64URL-encoded and can be decoded by anyone. Never put sensitive information like passwords in a JWT payload.
Why is a secret key required to verify the signature?
HMAC-based signatures (HS256, etc.) use a shared secret. Without the secret, it is impossible to verify whether the signature is authentic. Decoding the payload and verifying the signature are two different operations.
What happens if there is no exp claim?
If the exp claim is absent, the token never expires on its own. The server must implement its own revocation mechanism (e.g., a token blocklist) to invalidate such tokens.
What is the difference between HS256 and RS256?
HS256 uses a symmetric secret key shared between all parties. RS256 uses an asymmetric key pair (private key to sign, public key to verify), which is better suited for microservices and third-party verification.
Where should I store a JWT?
HttpOnly cookies are recommended as they protect against XSS attacks. Storing JWTs in localStorage is convenient but vulnerable to XSS.
What is a Refresh Token?
A Refresh Token is a separate, long-lived token used to obtain a new Access Token after it expires, without requiring the user to log in again.
Is the JWT I paste here sent to a server?
No. All decoding and encoding is performed entirely in your browser using JavaScript. Nothing is transmitted to any server.

Related Tools

Regex TesterPassword Generator