JWT Decoder
Decode a JWT into its header, payload, and signature. Auto-converts iat/exp/nbf timestamps and flags expired tokens. Browser-based, nothing uploaded.
Expires in 1596d 15h 25m (Sat, 21 Sep 2030 16:37:02 GMT)
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1916239022
}infoSignature verification requires the secret key or public key and is not performed by this tool.
infoToken Info
list_altClaims
lightbulbSecurity Note
Never share JWTs in URLs or public logs. Treat them like passwords — anyone with the token can impersonate the user until it expires. Always use HTTPS to transmit tokens.
What is the JWT Decoder?
A JWT (JSON Web Token) is a Base64Url-encoded string of three dot-separated parts: a header that names the signing algorithm, a payload of claims (user ID, expiration, issuer), and a signature that proves the token wasn't tampered with. JWT decoders read the first two parts so you can verify what's inside before trusting the token in production code.
How to use the JWT Decoder
- 1
Paste the token
Drop your JWT into the input field. The Sample button loads a working example if you don't have one handy.
- 2
Read the decoded header
The blue Header card shows the algorithm (alg) and token type. RS256 means asymmetric signing, HS256 means a shared secret.
- 3
Inspect the payload claims
The purple Payload card lists every claim. Common ones: sub (user ID), iat (issued at), exp (expires at), iss (issuer), aud (audience).
- 4
Check expiration status
If the payload has an exp claim, the green or red banner above the cards tells you whether the token is still valid right now.
Frequently Asked Questions
What is a JWT token?
A JWT is a compact, URL-safe credential made of three Base64Url-encoded parts joined by dots: header (algorithm), payload (claims like user ID and expiration), and signature (cryptographic proof of integrity). Servers issue them to clients, clients send them back on each request, and the server validates the signature instead of looking up a session.
Can this tool verify JWT signatures?
No. Verification needs the signing key (the shared secret for HS algorithms or the public key for RS/ES algorithms), and pasting either of those into a web tool would defeat the security model. Verification belongs in your auth middleware. This tool decodes and inspects only.
Does it check if the token is expired?
If the payload contains an exp claim, the status banner compares it to your current local time and shows Token Valid or Token Expired. The detail line tells you how long ago it expired or how long it has left.