JWT Decoder
Decode JSON Web Tokens to inspect the header, payload, claims, signature, and expiration status.
Anatomy of a JWT
A JWT is three Base64URL-encoded JSON objects separated by dots: header.payload.signature. Only the signature requires the secret key — the header and payload are readable by anyone with the token.
// Header — algorithm and token type
{
"alg": "HS256",
"typ": "JWT"
}
// Payload — claims (user data + metadata)
{
"sub": "user_123",
"name": "Alice",
"role": "admin",
"iat": 1700000000, // issued at (Unix timestamp)
"exp": 1700003600 // expires at (1 hour later)
}
// Signature — verifies the token hasn't been tampered with
HMACSHA256(base64url(header) + "." + base64url(payload), secret)Standard JWT claims
| Claim | Name | Description |
|---|---|---|
| sub | Subject | Unique identifier of the user (user ID, email) |
| iss | Issuer | Who created the token (your auth server URL) |
| aud | Audience | Who the token is intended for (your API URL) |
| exp | Expiration | Unix timestamp after which the token is invalid |
| iat | Issued At | Unix timestamp when the token was created |
| nbf | Not Before | Token is invalid before this Unix timestamp |
| jti | JWT ID | Unique token ID, used to prevent replay attacks |
Decoding vs. verifying a JWT
Decoding just reads the header and payload — it requires no key and proves nothing about authenticity. Verification checks the signature against a secret (HMAC) or public key (RSA/ECDSA) to confirm the token was issued by a trusted party and hasn't been modified. Always verify tokens server-side before trusting their claims.
Related Tools
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format used for authentication and authorization. It consists of three Base64URL-encoded parts: header (algorithm info), payload (claims/data), and signature (verification).
Does this tool verify JWT signatures?
No. This tool only decodes the JWT to display its contents. Signature verification requires the secret key or public key, which should never be shared with online tools for security reasons.
Can I see if my JWT is expired?
Yes. The tool checks the 'exp' (expiration) claim and clearly indicates whether the token is expired or still valid, along with the human-readable expiration date.
Is it safe to paste my JWT here?
Yes. All decoding happens entirely in your browser. The JWT never leaves your device. However, remember that JWTs are not encrypted — anyone with the token can read the payload, so avoid sharing tokens containing sensitive data.