What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. JWTs are widely used for authentication and authorization in web applications and APIs.
A JWT consists of three Base64URL-encoded parts separated by dots:
Header.Payload.SignatureJWT Structure
| Part | Contains | Example |
|---|---|---|
| Header | Algorithm & token type | {"alg":"HS256","typ":"JWT"} |
| Payload | Claims (user data) | {"sub":"123","name":"Alice","iat":1516239022} |
| Signature | Integrity verification | HMACSHA256(base64(header)+"."+base64(payload), secret) |
Standard Claims
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who issued the token |
sub | Subject | Who the token refers to (usually user ID) |
aud | Audience | Who the token is intended for |
exp | Expiration | Unix timestamp — token is invalid after this time |
nbf | Not Before | Unix timestamp — token is invalid before this time |
iat | Issued At | Unix timestamp — when the token was issued |
jti | JWT ID | Unique identifier for this token |
Supported Algorithms
| Algorithm | Type | Key | Notes |
|---|---|---|---|
| HS256 | HMAC-SHA256 | Shared secret | Most common — this tool can verify |
| HS384 | HMAC-SHA384 | Shared secret | This tool can verify |
| HS512 | HMAC-SHA512 | Shared secret | This tool can verify |
| RS256 | RSA-SHA256 | Public/private key | Decode only (verification requires public key) |
| ES256 | ECDSA-SHA256 | Public/private key | Decode only |
Security Warning
Never paste production JWTs containing sensitive user data into online tools you don't control. This tool runs entirely in your browser — no data is sent to any server — but always be careful with real tokens.