What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: the Header (algorithm & type), the Payload (claims), and the Signature.
tool / security
JWT Inspector
Decode and inspect JSON Web Tokens instantly. View the header, payload, and claims with human-readable explanations. Expiry countdown and security warnings included. Everything runs in your browser — your token never leaves your machine.
← Back to tools Paste JWT Token
Standard Claims
The JWT specification (RFC 7519) defines registered claim names such as
iss (issuer), sub (subject), aud (audience),
exp (expiration), nbf (not before), and iat
(issued at). This inspector explains each one in plain English.
Security Considerations
- Never use
alg: none— it disables signature verification. - Always set an expiry (
exp) to limit token lifetime. - Keep token lifetimes short — prefer < 1 hour for access tokens.
- Verify the signature server-side using the issuer's public key or secret.