JWT Decoder
Decode and inspect any JSON Web Token instantly. View header, payload, expiry, and signature structure. No data is sent to our servers.
Token Parts
Header
Payload
Signature
⚠️ Signature verification requires the secret key and cannot be done client-side without it. The structure looks .
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature.
Header
Contains the token type (JWT) and signing algorithm (HS256, RS256, ES256, etc.)
Payload
Contains claims: sub (subject), iat (issued at), exp (expiry), aud (audience), and custom fields.
Signature
Verifies the token hasn't been tampered with. Created using the algorithm and a secret/private key.
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who issued the token |
| sub | Subject | Who the token is about (usually user ID) |
| aud | Audience | Who the token is intended for |
| exp | Expiration | When the token expires (Unix timestamp) |
| iat | Issued At | When the token was issued |
| nbf | Not Before | Token is not valid before this time |
| jti | JWT ID | Unique identifier for this token |
🔒 100% Client-Side
Your JWT is decoded entirely in your browser using JavaScript. Nothing is sent to our servers. Safe to use with real tokens.
Need JWT decoding in your code?
Use the DevKits REST API to decode JWTs programmatically:
curl -X POST https://api.aiforeverthing.com/api/jwt/decode \
-H "Content-Type: application/json" \
-d '{"token": "YOUR_JWT_HERE"}'
View API docs →