A fully bidirectional client-side tool to encode, decode, and verify JSON Web Tokens (JWT) instantly. Paste your encoded token on the left to inspect its header, payload claims, and signature, or edit the JSON values and select a signing algorithm on the right to build and encode a new token in real time.
Encoded (Token / Output)
Header: Metadata
Payload: Claims
Claim
Description
Decoded Value
Signature
What is a JSON Web Token (JWT)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Bidirectional Encoding & Decoding
This tool operates as a fully bidirectional utility, letting you perform both actions seamlessly:
Decoding (Token to JSON): Paste an encoded JWT into the left panel. The tool instantly splits it, base64url-decodes the header and payload, checks standard claims, parses dates, and evaluates the cryptographic signature.
Encoding (JSON to Token): Edit the JSON fields directly in the Header and Payload textareas on the right, change the signing algorithm, and customize the key/secret. The tool cryptographically compiles and signs your changes into a valid JWT token on the left in real time.
Structure of a JWT
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
Common Registered Claims
Standard registered claims provide useful metadata about the lifetime and scope of the token:
iss (Issuer): The entity that issued the token.
sub (Subject): The unique identifier of the subject (user ID, client ID).
aud (Audience): The intended recipient of the token.
exp (Expiration Time): The timestamp identifying when the token expires.
iat (Issued At): The timestamp identifying when the token was created.