Free Online JWT Decoder & Encoder

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It's commonly used for authentication and information exchange. A JWT consists of three parts: Header, Payload, and Signature, separated by dots.

Yes, completely safe. This JWT decoder runs entirely in your browser using client-side JavaScript. Your tokens never leave your device or get uploaded to any server, ensuring complete privacy and security.

Simply paste your complete JWT token string into the input area and click the "Decode" button (or enable realtime mode for automatic decoding). The decoder will parse the token and display each part with syntax-highlighted JSON formatting.

The JWT header is a JSON object that contains metadata about the token. It typically includes two fields: "alg" (the signing algorithm such as HS256, RS256, or ES256) and "typ" (the token type, usually "JWT"). The header is Base64Url encoded to form the first part of the JWT.

The JWT payload contains the claims — statements about an entity (typically the user) and additional data. Common claims include: sub (subject), iat (issued at), exp (expiration), iss (issuer), aud (audience), and nbf (not before).

The JWT signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed. It's created by signing the encoded header and payload with a secret key using the algorithm specified in the header.

This decoder automatically reads the "exp" (expiration time) and "nbf" (not before) claims from the payload and compares them with the current system time. Valid tokens are highlighted in green with remaining validity time displayed.

Yes! Switch to the "Encode" tab to create and sign JWT tokens. You can customize the header and payload JSON, select from multiple signing algorithms (HS256, HS384, HS512, or none), enter your secret key, and optionally add standard claims.