Yes, decoding happens locally in your browser. However, never share your JWTs with untrusted parties as they contain sensitive session information.

No, this tool only decodes the payload. Signature verification requires the secret key, which you should not enter here.

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

A JWT consists of three Base64-encoded parts separated by dots: Header (algorithm and token type), Payload (claims and data), and Signature (verification code). The format is: header.payload.signature

Common claims include 'iss' (issuer), 'sub' (subject/user ID), 'aud' (audience), 'exp' (expiration time), 'nbf' (not before), 'iat' (issued at), and 'jti' (JWT ID). Applications can also add custom claims.

JWTs are encoded, not encrypted. The signature prevents tampering but doesn't hide the contents. Anyone can decode and read the Header and Payload. Never put sensitive information like passwords in a JWT.

Common algorithms include HS256 (HMAC with SHA-256 using a shared secret), RS256 (RSA signature with SHA-256 using public/private key pair), and ES256 (ECDSA with SHA-256). The algorithm is specified in the Header.

This tool shows if the token is expired by checking the 'exp' claim. However, to fully validate a token (signature verification, issuer validation, audience checks), you need server-side verification with the appropriate secret or public key.

This error appears when the token doesn't have the correct JWT format (three Base64-encoded parts separated by dots) or when the Header or Payload cannot be parsed as valid JSON.

No, this is a read-only decoder. Creating or modifying JWTs requires cryptographic signing with a secret key, which should only be done on trusted servers, never in browser-based tools.