A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit claims between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and type), a payload (claims), and a signature. JWTs are widely used for authentication, authorization, and information exchange in web applications and APIs.

Is my JWT token safe to paste here?

Yes. This tool runs entirely in your browser — no data is sent to any server. However, be cautious about sharing JWTs that contain live authentication credentials in general, as anyone who obtains a valid token can use it until it expires.

Can this tool verify the JWT signature?

No. JWT signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256/ES256). This tool only decodes and displays the token contents without verifying authenticity.

Claims are statements about an entity (usually the user) and additional metadata stored in the JWT payload. Standard registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications can also include custom private claims.

What does the expiry check do?

The tool reads the exp (expiration) claim from the payload, which is a Unix timestamp in seconds. It compares that value against the current time and displays whether the token is still valid or has expired, along with the remaining or elapsed time.

JWT Decoder — Decode & Inspect JWT Tokens Online

What is a JWT Token?

A JSON Web Token (JWT) is a compact, URL-safe format for securely transmitting claims between parties. Defined in RFC 7519, it is the industry standard for stateless authentication and authorization in web applications and APIs.

A JWT consists of three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKK...
         Header                              Payload                    Signature

JWT Structure

The header contains metadata about the token type and the signing algorithm used:

{
  "alg": "HS256",
  "typ": "JWT"
}

Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA), none.

Payload

The payload contains claims — statements about an entity (typically the user) and additional metadata. There are three types:

Registered claims: Predefined, standardized claims like iss, sub, exp, iat
Public claims: Widely used claim names registered in the IANA JWT Claims Registry
Private claims: Custom claims agreed upon by specific parties

Signature

The signature verifies the token was not tampered with. It is computed as:

HMACSHA256(base64url(header) + "." + base64url(payload), secret)

The signature cannot be verified without the corresponding secret key or public key.

Standard JWT Claims

Claim	Name	Description
`iss`	Issuer	Who issued the token (e.g., `https://auth.example.com`)
`sub`	Subject	Who the token is about (e.g., a user ID)
`aud`	Audience	Who the token is intended for
`exp`	Expiration	Unix timestamp after which the token is invalid
`nbf`	Not Before	Unix timestamp before which the token is not yet valid
`iat`	Issued At	Unix timestamp when the token was created
`jti`	JWT ID	Unique identifier to prevent token replay

How to Use This JWT Decoder

Paste your JWT token into the input box (or click Paste Example to try a demo).
Click Decode — or the tool decodes automatically when you paste a complete token.
The Payload tab shows all claims with descriptions, formatted timestamps, and sensitive-data warnings.
The Header tab shows the algorithm and token type.
The Signature tab shows the raw signature segment for reference.

Decoding vs. Verification

Decoding a JWT (splitting on . and Base64URL-decoding each part) reveals its contents but does not confirm authenticity. Anyone can create a token with any payload if they know the format.

Verification — checking that the signature matches the header and payload — requires:

The secret key for HMAC algorithms (HS256, HS384, HS512)
The public key for asymmetric algorithms (RS256, ES256, PS256, etc.)

This tool only decodes; use a server-side library for production signature verification.

Sensitive Claims

JWTs often carry personally identifiable information (PII). This tool highlights claims that typically contain sensitive data:

sub — User identifier
email — Email address
phone_number — Phone number
given_name, family_name — User’s name
picture — Profile photo URL

Never paste tokens with live authentication credentials into untrusted tools. While this tool runs entirely in your browser, follow your organization’s security policy when handling tokens.

Privacy

All decoding runs locally in your browser using JavaScript’s built-in atob() and JSON.parse(). No data is transmitted to any server. Your token is not stored, logged, or shared.

JWT Decoder