Loading tool…
How to Decode and Inspect JWTs
The JWT Decoder splits a JSON Web Token into its three parts — header, payload, and signature — and displays the decoded contents with expiry status.
- Paste your JWT (the long base64url-encoded string) into the input field.
- View the decoded header (algorithm, type) and payload (claims, expiry) instantly.
- Check the expiry status — the tool highlights whether the token is still valid or expired.
How JWTs Work
A JWT consists of three Base64url-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm (e.g., RS256). The payload contains claims — data like user ID, email, roles, and expiry time. The signature is a cryptographic hash that proves the token was not tampered with. JWTs are used for authentication, API authorization, and session management.
Why Use Our JWT Decoder?
- Instant decode — paste and see all three sections immediately.
- Expiry check — see whether the token is valid or expired at a glance.
- Claim highlighting — standard claims (iss, sub, exp, iat) are labelled.
- Client-side only — your token never leaves the browser.
Frequently Asked Questions
Does this tool verify the JWT signature?
This tool decodes and displays the token contents. Signature verification requires the server's secret or public key, which is not done here. The tool is for inspection, not validation.
Is it safe to paste my JWT here?
Yes. The tool runs entirely in your browser. Your token is never sent to any server. That said, treat JWTs as sensitive — they are credentials.
What does 'exp' mean?
The 'exp' claim is the expiration time as a Unix timestamp. The tool converts this to a human-readable date and tells you whether the token has expired.
Can I edit the JWT?
You can view the decoded content but cannot edit and re-sign the token — that would require the signing key.