Definition

What is JWT (JSON Web Token)?

Also known as: JSON Web Token, bearer token.

Last updated: July 2026

JWT (JSON Web Token)
A JWT (JSON Web Token, defined in RFC 7519) is a compact, URL-safe way to represent claims between two parties. It has three Base64url-encoded parts separated by dots — header, payload and signature — and is commonly used as an authentication token. It's signed, not encrypted, so the payload is readable by anyone.
JWT Decoder

Decode a JSON Web Token (JWT) to read its header and payload instantly. Free, private, in-browser — no token is uploaded.

Open the tool →

The three parts

A JWT is written as header.payload.signature. The header declares the signing algorithm (e.g. HS256 or RS256). The payload holds the claims — data such as the user ID, expiry (exp) and issuer (iss). The signature is computed from the first two parts plus a secret or private key, and proves the token hasn't been altered.

Signed, not encrypted

By default a JWT is signed but not encrypted. Anyone can Base64url-decode and read the payload, so you must never store secrets in it. The signature only guarantees integrity and authenticity — that the token came from who it claims and wasn't tampered with.

FAQ

Is a JWT encrypted?

No — by default it is signed, not encrypted. The payload is only Base64url-encoded and can be read by anyone, so never put secrets in it.

What does decoding a JWT show?

The header and payload as readable JSON, including standard claims like exp (expiry), iat (issued-at) and iss (issuer).

Related terms

Sources & further reading