JWT Decoder
Decode and inspect JSON Web Tokens instantly.
How it works
- 1
Paste your JWT
Paste a JSON Web Token into the input field.
- 2
View decoded parts
Instantly see the decoded header, payload, and signature.
- 3
Check expiration
The tool shows whether the token is expired based on the exp claim.
Common use cases
Standard JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
About This Tool
Paste a JWT and instantly see its decoded header, payload, and signature. Inspect claims like expiration time (exp), issued at (iat), subject (sub), and custom claims. The tool validates the token structure and shows expiration status.
Perfect for debugging authentication flows, inspecting API tokens, and understanding OAuth responses.
No libraries needed -- runs entirely in your browser.
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are compact, URL-safe, and self-contained, making them the dominant token format for modern authentication and authorization systems. You will encounter JWTs in OAuth 2.0 flows, Single Sign-On (SSO) systems, API authentication, and session management.
A JWT consists of three Base64URL-encoded parts separated by dots: the header (which specifies the token type and signing algorithm), the payload (which contains the claims -- statements about an entity and additional data), and the signature (which is used to verify the token has not been tampered with). This tool splits the token on the dots, Base64URL-decodes the header and payload, and displays the resulting JSON. It also checks the exp (expiration) claim against the current time to tell you whether the token is still valid.
Common claims you will see in the payload: iss (issuer) identifies who created the token, sub (subject) identifies the user or entity, aud (audience) identifies the intended recipient, exp (expiration time) is the timestamp after which the token should no longer be accepted, iat (issued at) is when the token was created, and jti (JWT ID) is a unique identifier for the token.
Real-world scenarios: debugging why a user session expired (check the exp claim), verifying that an OAuth provider is returning the expected scopes, inspecting the claims in an ID token during a Sign In With Apple flow, and checking the alg header to ensure the token is using a secure signing algorithm (HS256 or RS256 rather than none).
Important: this tool decodes tokens but does not verify cryptographic signatures. Signature verification requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA algorithms), which this tool does not have access to. Decoding a token does not prove its authenticity -- it only reveals the contents. Never trust claims from an unverified token in a security-critical context.
More examples
Examples
Standard JWT
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output
Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}Frequently Asked Questions
- What is a JWT?
- A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of a header, payload, and signature separated by dots, defined in RFC 7519.
- Does this tool verify JWT signatures?
- This tool decodes and displays the JWT structure but does not verify cryptographic signatures, as that requires the signing secret or public key.
- Is it safe to paste my JWT here?
- Yes. All decoding happens entirely in your browser. The token is never sent to any server.
- How do I check if my JWT is expired?
- Paste your JWT and the tool automatically checks the exp claim against the current time. It displays a clear indicator showing whether the token is valid or expired, along with the exact expiration timestamp.
- What are the standard JWT claims?
- Standard claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Custom claims can include anything -- roles, permissions, email, name, etc.
- What is the "none" algorithm in JWT?
- The "none" algorithm means the token is unsigned -- no signature verification is performed. This is a known security vulnerability if a server accepts tokens with alg: "none". Always ensure your server rejects unsigned tokens.
- Data & privacy: how is my token handled?
- Your JWT is decoded entirely in your browser using JavaScript. It is never transmitted to any server. When you close or refresh the page, all data is cleared.