JWT Decoder
Decode and inspect JSON Web Tokens. View the header, payload, and expiration details.
How to Decode a JWT Token
- Copy your JWT — get a JWT from your application, browser DevTools (Application → Cookies or Local Storage), or API response.
- Paste it in the box — the token should look like:
eyJ...eyJ...SflK...(three Base64url parts separated by dots). - Click "Decode JWT" — the header, payload, and signature appear formatted as JSON.
- Check the timestamps — the expiry (exp) and issued-at (iat) times are shown in human-readable format with an expired/valid indicator.
Frequently Asked Questions
Is it safe to paste my JWT here? ▼
Yes — everything runs 100% in your browser using JavaScript. No data is sent to any server. That said, avoid pasting tokens in shared or public environments, as JWTs can grant access to your accounts.
Can this tool verify the JWT signature? ▼
No — signature verification requires the secret key (for HMAC algorithms) or the public key (for RS256/ES256). These should never be entered into a browser tool. This tool decodes and displays the token structure only.
What is a JWT (JSON Web Token)? ▼
A JWT is a compact, URL-safe token used for authentication and data exchange. It has three Base64url-encoded parts separated by dots: the header (specifying the algorithm), the payload (containing claims about the user), and the signature (for verification).
What are JWT claims? ▼
Claims are statements in the JWT payload. Standard claims: sub (subject/user ID), iss (issuer), exp (expiration time), iat (issued at), nbf (not before), aud (audience). Custom claims can also be added for application-specific data.
What does an expired JWT mean? ▼
If the current time is past the exp claim timestamp, the token is expired. Servers should reject expired tokens. This decoder highlights "EXPIRED" in red if the exp has passed, and shows "Valid" in green if it's still active.
What is the difference between RS256 and HS256? ▼
HS256 (HMAC-SHA256) uses a shared secret key for both signing and verification. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — more secure for distributed systems where multiple services need to verify tokens.