JWT Structure Explained
A JSON Web Token consists of three parts: Header, Payload, and Signature. Paste any JWT into the decoder above to see each part broken down with syntax highlighting.
JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and expiration status.
JWT Header
The header is a JSON object with two fields: "alg" (the signing algorithm, e.g., HS256, RS256) and "typ" (token type, always "JWT"). It is Base64url-encoded to form the first part of the token. The header tells the receiver how to verify the signature.
JWT Payload
The payload contains the claims — statements about the user and metadata. Claims come in three types: Registered claims (iss, sub, exp — standardized by RFC 7519), Public claims (defined in the IANA JSON Web Token registry), and Private claims (custom application-specific claims agreed upon between parties).
JWT Signature
The signature is created by taking the encoded header, encoded payload, a secret or private key, and the algorithm specified in the header. For HMAC: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret). The signature verifies the token was not altered and, with asymmetric algorithms, verifies the sender's identity.
Frequently Asked Questions
Can I decode a JWT without the secret key?
Yes. The header and payload are only Base64url-encoded, not encrypted. You can decode and read them without any key. The secret key is only needed to verify the signature.
What happens if a JWT is expired?
An expired JWT (current time past the "exp" claim) should be rejected by the server. The token is still decodable, but the server should not trust its claims. Clients should request a new token using a refresh token.