🔒 Your JWT is decoded entirely in your browser. No data is sent to any server.
Header
Payload
Signature
Token Info
Registered Claims (RFC 7519)
| iss | Issuer - Identifies the principal that issued the JWT |
| sub | Subject - Identifies the principal that is the subject of the JWT (usually user ID) |
| aud | Audience - Identifies the recipients that the JWT is intended for |
| exp | Expiration Time - Unix timestamp when the token expires |
| nbf | Not Before - Unix timestamp before which the JWT must not be accepted |
| iat | Issued At - Unix timestamp when the JWT was issued |
| jti | JWT ID - Unique identifier for the JWT (prevents replay attacks) |
OpenID Connect Claims
| nonce | Nonce - Random value used to associate a client session with an ID token and prevent replay attacks |
| azp | Authorized Party - Client ID of the party to which the ID token was issued |
| auth_time | Authentication Time - Unix timestamp when the user was actually authenticated |
| acr | Authentication Context Class Reference - Level of assurance of the authentication (e.g., "urn:mace:incommon:iap:silver") |
| amr | Authentication Methods References - Array of authentication methods used (e.g., ["pwd", "otp", "sms"]) |
| at_hash | Access Token Hash - Hash of the Access Token, used to validate the token binding |
| sid | Session ID - Identifier for the session at the identity provider |
Common Custom Claims
| name | Full Name - User's full name |
| Email Address - User's email address | |
| roles | User Roles - Array of role identifiers assigned to the user |
| groups | Groups - Array of group identifiers the user belongs to |
| scope | OAuth 2.0 Scope - Space-separated list of scopes granted to the token |
| permissions | Permissions - Array of permission strings granted to the user |
| tenant_id | Tenant ID - Identifier for the tenant or organization (common in Azure AD, Okta) |
Header Claims
| alg | Algorithm - Cryptographic algorithm used to sign the token (e.g., HS256, RS256) |
| typ | Type - Type of token (usually "JWT") |
| kid | Key ID - Identifier for the key used to sign the token |
| jku | JWK Set URL - URL referencing the JWK Set containing the public key |
| x5c | X.509 Certificate Chain - X.509 certificate chain as a JSON array |
Common Algorithms
| HS256 | HMAC SHA-256 - Symmetric algorithm using shared secret |
| RS256 | RSA SHA-256 - Asymmetric algorithm using RSA public/private keys |
| ES256 | ECDSA SHA-256 - Asymmetric algorithm using elliptic curve cryptography |
| PS256 | RSA-PSS SHA-256 - RSA with probabilistic signature scheme |
| EdDSA | Edwards-curve DSA - Asymmetric algorithm using Edwards curves |
| none | No Signature - Unsecured JWT (not recommended for production) |
About JWT Decoder
JWT Decoder decodes JSON Web Tokens to reveal their header, payload, and signature. JWTs are widely used for authentication and authorization in web APIs — they encode claims like user ID, roles, and expiration time in a Base64-encoded structure.
Use it to inspect a token returned by an authentication API during development, to check whether a token has expired by reading the exp claim, to verify what roles and permissions are encoded in a token, or to debug authentication issues by seeing exactly what claims the server issued. The decoder shows the token's expiration status relative to the current time.
JWT decoding is done entirely in your browser — the token string never leaves your device. Note: this tool does not verify the signature.