JWT Decoder

Decode and inspect JSON Web Tokens instantly. View header, payload, claims, and expiration status. 100% client-side.

Advertisement

Paste JWT Token

Advertisement

How to Use the JWT Decoder

Paste any JSON Web Token into the input field and instantly see its decoded contents. The tool automatically separates the JWT into its three components — header, payload, and signature — and displays each in a formatted, readable view.

The header section shows the signing algorithm (e.g., HS256, RS256, ES256) and the token type. The payload section displays all claims, including standard claims like subject (sub), issuer (iss), and expiration (exp), as well as any custom claims. Unix timestamps are automatically converted to human-readable dates.

The claims table provides a structured view of every key-value pair in the payload, with automatic timestamp decoding for time-based claims. The expiry status indicator at the top shows whether the token is still valid or has expired, along with the time remaining or elapsed.

JWTs are the standard authentication mechanism for modern web applications, APIs, and microservices. Understanding their structure is essential for debugging authentication issues, verifying token contents during development, and inspecting tokens received from third-party services. This tool makes that process instant and secure.

Use the “Load Sample” button to see a pre-built JWT example with typical claims. You can copy individual sections using the copy buttons on each decoded section, making it easy to extract specific parts for use in your development workflow.

Frequently Asked Questions

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts — a header (algorithm and token type), a payload (claims like user ID, expiration, etc.), and a signature — separated by dots. JWTs are commonly used for authentication, authorization, and information exchange in web applications.

Is it safe to paste my JWT here?

Yes. This tool runs entirely in your browser using JavaScript. No data is sent to any server. The JWT is decoded using base64 decoding on the client side, so your token never leaves your device. You can verify this by checking the network tab in your browser's developer tools.

Can this tool verify JWT signatures?

This tool decodes and displays the JWT structure but does not verify signatures. Signature verification requires the signing secret (for HMAC algorithms) or the public key (for RSA/ECDSA), which should never be shared in a browser tool. For signature verification, use server-side libraries like jsonwebtoken (Node.js) or PyJWT (Python).

What do the standard JWT claims mean?

Common JWT claims include: 'sub' (subject — who the token is about), 'iss' (issuer — who created the token), 'exp' (expiration time as Unix timestamp), 'iat' (issued at time), 'nbf' (not before — token is not valid before this time), 'aud' (audience — intended recipient), and 'jti' (JWT ID — unique identifier). Custom claims can also be added for application-specific data.

Why does my JWT show as expired?

The 'exp' claim in the JWT payload is a Unix timestamp indicating when the token expires. If the current time is past this timestamp, the token is expired. This is normal — JWTs are designed to be short-lived for security. You need to refresh or obtain a new token from the issuing server.