JWT Decoder

Paste any JSON Web Token to instantly decode the header, payload, and claims. See expiry dates and token details at a glance.

🔓 Decode JWT

Paste JWT Token
Paste a JWT token above to decode it

What Are JSON Web Tokens (JWTs)?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are widely used for authentication and authorization in web applications. When a user logs in, the server creates a JWT containing the user's identity and permissions, and the client includes this token in subsequent requests.

The Three Parts of a JWT

A JWT consists of three Base64-encoded sections separated by dots (xxxxx.yyyyy.zzzzz):

Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256).

Payload: Contains claims — statements about the user and additional metadata. Standard claims include sub (subject), iss (issuer), exp (expiration), iat (issued at), and aud (audience).

Signature: Created by signing the header and payload with a secret key. This ensures the token hasn't been tampered with. Verification requires the secret key or public key.

JWT Claims Explained

exp (Expiration Time): A Unix timestamp after which the token is no longer valid. Servers should reject expired tokens.
iat (Issued At): The Unix timestamp when the token was created.
nbf (Not Before): The token should not be accepted before this timestamp.
sub (Subject): Typically the user ID or username the token represents.
iss (Issuer): Identifies who issued the token (e.g., your auth server).

Security Considerations

JWT payloads are Base64-encoded, not encrypted. Anyone can decode and read the contents. Never store sensitive data (passwords, credit card numbers) in a JWT payload. The signature only ensures integrity (the data hasn't been modified), not confidentiality (the data is hidden).

Frequently Asked Questions

What is a JWT token?
A JWT is a compact token format with three parts: header (algorithm), payload (claims/data), and signature (verification). It's widely used for authentication in web apps and APIs.
How do I decode a JWT?
Paste the JWT into this tool. The header and payload are Base64-encoded JSON — no secret key is needed to read them. Only signature verification requires the secret.
What is the payload of a JWT?
The payload contains claims — pieces of data like user ID (sub), expiration (exp), issuer (iss), and any custom data the server includes.
How do I check if a JWT is expired?
Decode the JWT and check the exp claim. If the current time exceeds the exp timestamp, the token is expired. This tool highlights expired tokens in red.
Is it safe to decode a JWT online?
This tool runs entirely in your browser — no data is sent to any server. However, avoid pasting production tokens with real user data into untrusted tools.