Decode JWT Claims Online
Decode and inspect JWT claims: subject, issuer, expiration, custom claims, and more.
Open JWT Decoder →Standard JWT Claims
JWT claims are the key-value pairs in the payload. Registered claims are standardized in RFC 7519:
iss (issuer — who created the token), sub (subject — who the token represents), aud (audience — intended recipient), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID — unique identifier). Custom claims carry application-specific data like user roles, permissions, or tenant IDs.Working with JWT Claims
- Keep payloads small: Every claim increases token size, which is sent with every request. Include only what the recipient needs.
- Don't store secrets: JWT payloads are Base64-encoded, not encrypted. Anyone with the token can read the claims.
- Use standard claim names: Stick to registered claims where possible for interoperability across libraries and services.
- Namespace custom claims: Prefix custom claims with a domain or app name (e.g.,
app:role) to avoid collisions.
// Decode JWT claims (no verification)
function decodeJWT(token) {
const parts = token.split('.');
return {
header: JSON.parse(atob(parts[0])),
payload: JSON.parse(atob(parts[1])),
};
}
// Example decoded payload
{
"iss": "auth.example.com",
"sub": "user_12345",
"aud": "api.example.com",
"exp": 1710432000,
"iat": 1710428400,
"role": "admin",
"permissions": ["read", "write"]
}