JWT Decoder
JWT (JSON Web Token) is a secure token format for authentication. Structure: header.payload.signature (3 Base64-encoded parts separated by dots). Header specifies algorithm (HS256, RS256), payload contains claims (user ID, expiration), signature verifies authenticity. Decode to view claims without verification. For example, token "eyJhbGc..." decodes to {"sub": "user123", "exp": 1234567890}. Never trust decoded data without signature verification. JWTs are stateless, self-contained, and widely used in OAuth 2.0 and API authentication.
Decode and inspect JWT (JSON Web Token) tokens. View header, payload, and signature separately with syntax highlighting. Check token expiration status.
Works OfflineDark ModeNo Ads
JWT Token
How to Use
- Enter your value in the input field
- Click the Calculate/Convert button
- Copy the result to your clipboard
Frequently Asked Questions
- What is a JWT (JSON Web Token)?
- A JWT is a compact, URL-safe token format for securely transmitting information between parties. It consists of three parts: Header (algorithm and type), Payload (claims/data), and Signature (verification). JWTs are commonly used for authentication and API authorization.
- Can this tool verify JWT signatures?
- This tool decodes and displays JWT contents but cannot verify signatures. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) used to sign the token. This tool validates that the signature is properly formatted.
- What are common JWT claims?
- Standard claims: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (JWT ID). Custom claims can contain any data like user ID, roles, or permissions. Claims in the payload are base64-encoded, not encrypted.
- How do I check if a JWT is expired?
- Check the exp (expiration) claim in the payload. It contains a Unix timestamp (seconds since Jan 1, 1970). If current time > exp, the token is expired. This decoder automatically shows expiration status with time remaining or time since expiry.
- Is it safe to decode JWTs in the browser?
- Yes, JWT payloads are base64-encoded (not encrypted), so anyone can decode them. Never put sensitive data like passwords in JWTs. This tool runs entirely in your browser - no tokens are sent to any server. Always use HTTPS when transmitting JWTs.