100% Client-Side 🔖 Bookmark this project

JWT Decoder & Inspector

Decode and inspect JWT tokens — header, payload, claims at a glance

Free Client-Side No Login No Storage
Loading tool...
JWT Encoder Create and sign JWT tokens with custom claims and headers HMAC Generator Generate HMAC message authentication codes — SHA256, SHA512, SHA1, MD5 Base64 Decoder Decode Base64 strings back to plain text or binary data

How to Use the JWT Decoder & Inspector

  1. Paste any JWT token into the input field.
  2. The header, payload, and signature are decoded and displayed instantly.
  3. Claims like exp, iat, sub are shown with human-readable timestamps.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: Header.Payload.Signature.

Colour-coded display

  • ● Header — algorithm & token type
  • ● Payload — claims (sub, exp, iat, …)
  • ● Signature — cryptographic hash

Common uses

  • Authentication — servers issue JWTs after login; clients send them with each request
  • API authorization — REST APIs use JWTs in the Authorization header
  • SSO — single sign-on systems share identity via JWT

Security note: JWTs are not encrypted by default — the payload is only Base64-encoded and readable by anyone. Never store sensitive data (passwords, card numbers) in a JWT payload unless using JWE (JSON Web Encryption).

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. A JWT has three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). The header and payload are Base64URL-encoded — not encrypted — so anyone can read them.

Common Uses

  • Debugging authentication issues in APIs and web apps
  • Inspecting token expiry (exp claim) to diagnose "token expired" errors
  • Verifying token structure in OAuth 2.0 and OpenID Connect flows
  • Reading user claims (sub, email, roles) from a token during development

Frequently Asked Questions

Is it safe to paste my JWT into an online decoder?

CipherKit decodes JWTs 100 % in your browser — no data is sent to any server. However, treat JWTs as sensitive — they may contain user data and are used for authentication. For production tokens, using a client-side tool like CipherKit is the safe choice.

Why can I read the JWT payload without a secret key?

JWT payloads are only encoded (Base64URL), not encrypted. Anyone who has the token can read the payload. The signature prevents tampering but does not hide the data. Never put sensitive data in a JWT payload unless using JWE (encrypted JWTs).

What does "signature not verified" mean?

It means the decoder cannot confirm the token was signed with a valid key. To verify a signature you need the secret key (HS256) or public key (RS256). You can still read the header and payload without verification.