JWT

What a JWT actually contains

A JSON Web Token (JWT) is a compact, URL-safe string with three Base64-encoded parts separated by dots: header.payload.signature. The header describes the signing algorithm, the payload carries claims (subject, issuer, expiry, custom fields), and the signature lets a verifier prove that the token was issued by someone who holds the signing key. This tool splits the token, decodes the first two parts, and pretty-prints them as JSON — all in your browser.

Decoding is not verifying

Anyone with the token can decode the header and payload — that is by design, because the payload is meant to be readable by the resource server. What proves the token has not been tampered with is the signature, which can only be checked with the issuer's public key (for asymmetric algorithms like RS256, ES256) or the shared secret (for HS256). This page decodes; it deliberately does not verify, because that requires the key material you should not be pasting into a random web page.

Claims worth knowing

• iss — issuer, the entity that produced the token.
• sub — subject, the user or principal the token represents.
• aud — audience, the service intended to consume the token.
• exp — expiration time, as Unix seconds.
• iat, nbf — issued-at and not-before timestamps.

Common debugging questions

If a service rejects your token, decode it here first. Common causes: the exp claim is in the past, the aud claim does not match the service's expected audience, or the algorithm in the header is one the verifier does not accept (an HS256 token sent to an RS256-only endpoint is a typical mistake).