JWT Decoder
Decode and inspect JWT tokens. View header, payload, and check expiration. No signature verification - decoding only.
Safe conversion with no data sent to server
Last updated: March 2026
What is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained method for securely transmitting information between parties as a JSON object. JWTs are widely used for authentication and authorization in modern web applications, APIs, and microservices architectures. When a user logs in, the server generates a JWT containing claims (user identity, permissions, expiration time) and signs it with a secret or public/private key pair.
A JWT consists of three parts separated by dots: the Header (specifying the signing algorithm like HS256 or RS256), the Payload (containing the claims such as sub, iat, exp, and custom data), and the Signature (used to verify the token has not been tampered with). Each part is Base64URL-encoded, making JWTs URL-safe and easy to transmit in HTTP headers, query parameters, or cookies.
JWTs are stateless by design, meaning the server does not need to store session data. This makes them ideal for distributed systems and single sign-on (SSO) implementations. However, because they are self-contained, understanding what a JWT holds is critical for debugging authentication issues, verifying token expiration, and ensuring correct claim values.
How to Use This Tool
Paste your complete JWT token into the input field. A valid JWT looks like three Base64URL-encoded strings separated by dots (e.g., eyJhbGciOiJI...). Click "Decode JWT" to instantly parse and display the token's components. The tool will show the decoded Header (algorithm and token type), the Payload (all claims including registered, public, and private claims), and the raw Signature string.
If the token contains an exp (expiration) claim, the tool automatically checks whether the token has expired and displays a clear status indicator. You can copy any decoded section using the built-in copy button. Note that this tool performs decoding only -- it does not verify signatures, which would require the signing secret or public key.
Common Use Cases
- Debugging authentication failures by inspecting token claims and expiration times
- Verifying that OAuth 2.0 access tokens contain the correct scopes and audience values
- Inspecting ID tokens from identity providers like Auth0, Firebase, or Okta
- Checking token expiration during API development and testing
- Validating custom claims added by backend services for role-based access control
- Analyzing JWT structure when implementing Single Sign-On (SSO) integrations
- Troubleshooting CORS and authorization header issues in frontend-backend communication
- Educational purposes to understand JWT structure and claim types
FAQ
Is it safe to paste my JWT token here?
Yes. This tool runs entirely in your browser. No token data is sent to any server. All decoding happens client-side using JavaScript, so your tokens remain private. However, avoid sharing decoded token contents publicly as they may contain sensitive user information.
Does this tool verify the JWT signature?
No. This tool only decodes and displays the token's contents. Signature verification requires the signing secret (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms), which this tool does not request. Use server-side libraries for production signature validation.
What do common JWT claims like "iat", "exp", and "sub" mean?
iat (Issued At) is the Unix timestamp when the token was created. exp (Expiration Time) is when the token expires. sub (Subject) typically identifies the user. Other common claims include iss (issuer), aud (audience), and nbf (not before).
Why does my JWT show as expired even though I just generated it?
This usually indicates a timezone mismatch or a very short expiration window set by the issuing server. JWT expiration is based on Unix timestamps (seconds since epoch), and the comparison is made against your browser's current time. Check that your system clock is accurate and that the exp value is reasonable.