Vynoe
100% CLIENT-SIDE • YOUR TOKENS NEVER LEAVE YOUR BROWSER

JWT Decoder

Decode and inspect JSON Web Tokens instantly. View header, payload, and signature with formatted output and expiration checking.

keyPASTE YOUR JWT

How It Works

1
content_paste

Paste your JWT token or load a sample

2
split_scene

Token is split into 3 Base64URL parts

3
data_object

Header and payload are decoded as JSON

4
visibility

View claims, expiry status, and signature

Understanding JSON Web Tokens

token

What Is a JWT?

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. They are commonly used for authentication and information exchange in web applications.

layers

Three-Part Structure

Every JWT consists of three Base64URL-encoded parts: the Header (algorithm and type), the Payload (claims and data), and the Signature (verification hash).

security

Privacy First Decoding

Our decoder works entirely in your browser. Your tokens are never sent to any server, keeping your authentication data and sensitive claims completely private.

Common JWT Claims Explained

JWTs contain claims -- pieces of information about the token and the user. Standard claims include sub (subject, usually the user ID), iss (issuer, who created the token), aud (audience, who the token is for), exp (expiration time as a Unix timestamp), and iat (issued at time). Our decoder highlights these key claims and automatically converts timestamps to human-readable dates for easy inspection.

Frequently Asked Questions

What is a JSON Web Token (JWT)?expand_more
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication -- after a user logs in, each subsequent request includes the JWT, allowing access to routes, services, and resources permitted with that token.
Is it safe to decode JWTs in the browser?expand_more
Yes, decoding (reading) a JWT is perfectly safe. The payload is only Base64URL-encoded, not encrypted, so anyone with the token can read it. What matters is the signature verification, which requires the secret key. Our tool decodes tokens entirely in your browser -- nothing is sent to any server.
Can this tool verify JWT signatures?expand_more
This tool decodes and inspects JWTs but does not verify signatures. Signature verification requires the server's secret key (HMAC) or public key (RSA/ECDSA). Never share your secret key with any online tool. Use server-side libraries for signature verification.
What does it mean when a JWT is expired?expand_more
When the current time exceeds the "exp" (expiration) claim, the token is expired. Expired tokens should be rejected by the server. Our decoder shows a red "EXPIRED" badge and countdown so you can quickly check if a token is still valid.
What are the three parts of a JWT?expand_more
A JWT has three Base64URL-encoded parts separated by dots: the Header (contains the signing algorithm and token type), the Payload (contains the claims/data), and the Signature (a hash that verifies the token has not been tampered with). Our decoder displays each part with color coding -- red for header, purple for payload, blue for signature.
Why should I not put sensitive data in a JWT payload?expand_more
JWT payloads are encoded, not encrypted. Anyone with the token can decode and read the payload. Never put passwords, credit card numbers, or other sensitive data in JWTs. Use them for identifiers, roles, and metadata that are safe to expose if the token is intercepted.