Lintify Logo
Lintify
Schema & Query

JWT Decoder — Decode JSON Web Tokens

Decode the header and payload of any JWT (JSON Web Token). See the signature, expiry, issuer, and claims — without verifying, all in your browser.

JWT

Inspect JSON Web Tokens before trusting them

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. JWTs are widely used for authentication and authorization in modern web apps — they are the standard format for bearer tokens issued by OAuth and OpenID Connect servers. A JWT has three parts separated by dots: a header (which algorithm was used to sign), a payload (the actual claims), and a signature (a cryptographic check that the token has not been tampered with).

The Lintify JWT decoder reads the header and the payload of any JWT. Decoding is not the same as verifying — anyone can decode a JWT, because the header and payload are just base64url-encoded JSON. The signature is what proves the token was issued by someone who has the secret (for HS256) or the private key (for RS256). Lintify does not verify the signature, because that requires the secret or public key and depends on the algorithm declared in the header.

Reading the standard claims

The JWT specification (RFC 7519) defines a small set of standard claims that you will see in almost every token.iss is the issuer — who issued the token.sub is the subject — who the token is about, usually the user ID. aud is the audience — who the token is intended for. exp is the expiry time. nbf is the not-before time. iatis the issued-at time. jti is a unique identifier for the token. Lintify shows the human-readable form of the timestamp claims next to the raw epoch values.

Decoding vs verifying

Decoding a JWT means reading the header and payload. Anyone with the token can do this — the header and payload are not encrypted, only base64url-encoded. This is by design: the recipient needs to read the claims to decide what to do with the token. The signature is what proves that the token was issued by someone with the secret or private key.

Verifying a JWT means checking the signature against the header and payload. For HS256, this requires the shared secret. For RS256, this requires the public key of the issuer. Lintify does not verify signatures because it does not have your secret. Use a library like joseor jsonwebtoken in your server code to verify tokens before trusting them.

Is it safe to paste a real JWT here?

Yes, because all decoding happens in your browser and nothing is sent to a server. That said, JWTs often carry sensitive claims — user IDs, email addresses, scopes. Be careful about screenshots and screen shares when you are showing a real production token to someone else. If you would not be comfortable printing the token on paper and handing it to a stranger, do not show it on a screen share.

Frequently asked questions

Common questions about the JWT Decoder tool.

Does the JWT decoder verify the signature?
No. Decoding only reads the unencrypted header and payload — anyone can do that. Signature verification requires the secret (for HS256) or the public key (for RS256), and the verification logic depends on the algorithm declared in the header. Lintify focuses on inspection; use a library like jose in your server for verification.
What do the standard claims like 'exp' and 'iat' mean?
exp is the expiry time, iat is the issued-at time, nbf is the not-before time, iss is the issuer, aud is the audience, and sub is the subject. All of them are defined in RFC 7519. Lintify shows the human-readable form next to the raw timestamp so you can tell at a glance whether the token has expired.
Why does my JWT have a third part that is not JSON?
The third part of a JWT is the cryptographic signature, which is raw bytes base64url-encoded. It is not a JSON object and Lintify does not try to decode it as JSON. The signature is what your server uses to confirm that the token has not been tampered with.
Can I decode a JWT that uses encryption (JWE)?
Lintify handles JWS (signed) tokens, which are the most common type. JWE (encrypted) tokens have five parts instead of three and require the decryption key to read the payload. Decoding a JWE without the key is impossible by design — that is the whole point of encryption.
Is it safe to paste a real JWT into this tool?
Yes, because all decoding happens in your browser and nothing is sent to a server. That said, JWTs often carry sensitive claims (user IDs, email addresses, scopes) — be careful about screenshots and screen shares when you are showing a real production token to someone else.

Related tools

Schema Validator
Enforce contracts on your API request and response payloads.
Schema Generator
Bootstrap a contract from a real example in one click.
JSONPath
Query deeply nested JSON without writing a parser.
Validator & Formatter
Catch syntax errors instantly and format JSON in one click.