JWT Decoder
Inspect a compact JSON Web Token locally, understand registered claims, and keep the distinction between decoding and verification explicit.
Encoded token
Paste a compact JSON Web Token
Decoded outputs
Decoded JSON, Java record model, and verification snippets
A decoded JWT is not a trusted JWT
JWT header and payload segments are Base64URL-encoded, not encrypted. Anyone can create readable segments. Signature verification requires the expected algorithm and a trusted key obtained through a secure, application-specific process.
PayloadHarbor intentionally does not accept signing secrets, fetch remote JWKS documents, or label tokens as valid. Use your application's authentication library to verify a token before trusting its claims.
Common registered claims
issidentifies the issuer.subidentifies the token's subject.audidentifies intended recipients.iat,nbf, andexpare NumericDate values in Unix seconds.
Handling tokens safely
Prefer synthetic or redacted tokens for debugging. Even with browser-local processing, tokens can be exposed through malicious extensions, clipboard managers, screen sharing, device compromise, or accidental logging elsewhere. Never treat a decoded payload as proof of identity or authorization.