Crunchify.net

JWT Decoder

Decode and inspect JSON Web Tokens — header, payload, claims, and expiry status.

Token

How It Works

A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two parties. It consists of three base64url-encoded parts separated by dots: header.payload.signature.

The header declares the token type (typ) and the signing algorithm (alg), such as HS256 (HMAC-SHA256) or RS256 (RSA-SHA256). The payload contains the claims — statements about an entity (typically a user) and additional metadata. Common registered claims include iss (issuer), sub (subject), aud (audience), iat (issued at), and exp (expiration time).

The signature is computed by the issuer using the header, payload, and a secret or private key. You can always decode the header and payload — they are only encoded, not encrypted. However, you cannot verify the signature without the original secret or public key, which is why this tool decodes but does not verify. Never put sensitive data in a JWT payload unless the token is also encrypted (JWE).

Related Tools

Cron Expression Parser CIDR / Subnet Calculator CSV ↔ JSON Converter Regex Tester Hash Generator Number Base Converter Unix Timestamp Converter UUID Generator JSON Formatter

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe string representing claims between two parties. It consists of three base64url-encoded parts separated by dots: header.payload.signature. JWTs are widely used for authentication tokens in APIs and single-page applications.

Is it safe to paste my JWT into this tool?

The decoder runs entirely in your browser — nothing is sent to a server. However, treat production tokens with the same care as passwords. If a token grants access to sensitive resources, revoke it after debugging if you have any concern about exposure.

Can this tool verify a JWT signature?

No. Decoding (base64url-decoding the header and payload) is always possible. Verifying the signature requires the secret (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). Never trust a JWT's claims without verifying the signature on the server.

What is the difference between HS256 and RS256?

HS256 uses a single shared secret for both signing and verifying — suitable when the issuer and verifier are the same system. RS256 uses a private key to sign and a public key to verify — suitable for multi-party systems where the token issuer and verifiers are different services.

What does "exp" mean in a JWT payload?

exp is the expiration time claim — a Unix timestamp (seconds since epoch) after which the token must not be accepted. iat is the issued-at time. nbf is "not before" — the token must not be used before this time. This tool shows these as human-readable dates.