What are common JWT claims?

Common registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). These are standardised fields defined in RFC 7519.

Back to Apps

JWT Decoder

Paste a JSON Web Token to decode and inspect its header, payload, and signature. All processing happens in your browser.

Token

What Is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It is widely used for authentication and authorization in web applications. A JWT allows information to be securely transmitted between parties as a digitally signed JSON object. The token can be signed using a secret (HMAC) or a public/private key pair (RSA or ECDSA).

The Three Parts of a JWT

Every JWT consists of three Base64URL-encoded parts separated by dots:

Header: contains the token type (typically "JWT") and the signing algorithm (e.g. HS256, RS256)
Payload: contains the claims, which are statements about the user and additional metadata
Signature: created by signing the encoded header and payload with a secret or private key to ensure integrity

Common JWT Claims

Claim	Name	Description
iss	Issuer	Identifies who issued the token
sub	Subject	Identifies the subject of the token (usually a user ID)
aud	Audience	Identifies the intended recipients
exp	Expiration Time	Unix timestamp after which the token is no longer valid
nbf	Not Before	Unix timestamp before which the token is not valid
iat	Issued At	Unix timestamp when the token was created
jti	JWT ID	Unique identifier for the token to prevent reuse

Frequently Asked Questions

What is a JSON Web Token (JWT)?+

A JWT is a compact, URL-safe token format used to transmit information between parties as a signed JSON object. It is commonly used for authentication and authorization in modern web applications.

What are the three parts of a JWT?+

A JWT has three parts separated by dots: the Header (algorithm and token type), the Payload (claims and data), and the Signature (used to verify integrity). Each part is Base64URL-encoded.

Is it safe to decode a JWT online?+

Yes. The header and payload of a JWT are only Base64URL-encoded, not encrypted, so decoding them does not expose any secret. This tool processes everything in your browser and never sends your token to a server. That said, avoid sharing tokens that grant access to sensitive resources.

Does this tool verify the JWT signature?+

No. This tool only decodes the token to show its contents. Signature verification requires the signing key (a shared secret or public key), which is not available to a client-side decoder.

What are registered claims in a JWT?+

Registered claims are a set of predefined fields defined in RFC 7519. They include iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). These claims are not mandatory but are recommended for interoperability.