JWT Decoder
Decode JWT tokens to inspect header, payload, and expiry.
About the JWT Decoder
The JWT Decoder parses any JSON Web Token and displays the decoded header, payload, and expiry status in a readable format. Paste a JWT to instantly inspect every claim — including the issuer (iss), subject (sub), audience (aud), and expiration time (exp). The tool highlights whether the token is currently valid or expired.
JSON Web Tokens (JWTs) are a compact, self-contained format for transmitting authentication and authorization information. A JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims), and the signature. They are widely used in OAuth 2.0, OpenID Connect, and REST API authentication flows.
Important: this tool only decodes a JWT — it does not verify the cryptographic signature. The header and payload are readable by anyone who has the token; only the signature verification requires the secret key. Your token is never sent to any server — all decoding runs locally in your browser.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format for transmitting claims between parties. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature. JWTs are used for authentication and authorization in web applications and APIs.
What does a JWT contain?
The header contains the signing algorithm (e.g., HS256, RS256) and token type. The payload contains claims: standard ones like sub (subject), iss (issuer), exp (expiration), and iat (issued at), plus any custom claims your application adds.
Is it safe to decode JWTs publicly?
Decoding is safe — the header and payload are just Base64URL-encoded, not encrypted. Anyone with a JWT can read its contents. This is by design: JWTs are verified via the signature, not concealed. Never put sensitive secrets in a JWT payload.
What does the exp claim mean?
The exp claim is the expiration time — a Unix timestamp (seconds since epoch) after which the token should not be accepted. This tool compares exp against the current time and highlights whether the token is still valid or has expired.
What is the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification — simpler but requires sharing the secret. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — more secure for distributed systems since verifiers only need the public key.