DASH DEV TOOLS

JWT Decoder

Paste  ·  Decode  ·  Inspect

Token

Frequently asked questions

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64-encoded parts separated by dots: a header, a payload, and a signature. JWTs are commonly used for authentication and information exchange in web applications.
Is it safe to paste my real JWT here?
Yes. jwtDash decodes entirely in your browser using JavaScript. Your token is never sent to any server or logged anywhere. That said, treat JWTs like passwords — avoid pasting production tokens into any tool you do not fully trust.
What does the header contain?
The header typically contains two fields: "alg" (the signing algorithm, such as HS256 or RS256) and "typ" (the token type, usually "JWT"). This tells the receiving party how the token was signed.
What does the payload contain?
The payload contains claims — statements about the subject (usually a user) and additional metadata. Common claims include "sub" (subject), "iss" (issuer), "aud" (audience), "exp" (expiry), "iat" (issued at), and any custom claims your application adds.
Can jwtDash verify the signature?
No. Signature verification requires the secret key or public key used when the token was signed. jwtDash only decodes the header and payload — it tells you what is inside the token, but cannot confirm whether the signature is valid.
What does "exp" mean and why is it highlighted?
The "exp" claim is a Unix timestamp indicating when the token expires. jwtDash reads this value and shows whether the token is still valid, expiring soon, or already expired, so you can spot issues at a glance.
What is Base64URL encoding?
Base64URL is a variant of Base64 that uses "-" and "_" instead of "+" and "/" to make the output safe for use in URLs and HTTP headers. JWT parts are Base64URL-encoded, which is why they look like random strings of letters, numbers, and those two characters.
Why does my JWT have three parts?
Every JWT is structured as header.payload.signature — three Base64URL-encoded strings joined by dots. The header and payload are readable JSON. The signature is a cryptographic hash that allows the receiver to verify the token has not been tampered with.