A JSON Web Token — a compact, URL-safe string with three Base64url-encoded parts: header, payload and signature. It represents claims (statements about a user or entity) in a tamper-evident format that can be verified without calling the auth server.

Is it safe to decode a JWT in this tool?

Decoding only reads the header and payload — no key is required for that. However, never paste a production JWT containing live credentials, PII or sensitive claims into any online tool. The payload is Base64-encoded and immediately readable; treat a JWT like a password.

What does exp mean in a JWT?

The expiration time — a Unix timestamp (seconds since Jan 1 1970 UTC) after which the token must be rejected. This decoder converts it to a human-readable date and highlights expired tokens. Always set exp on tokens you issue.

Does this tool verify the JWT signature?

No. Signature verification requires the secret (for HMAC) or the public key (for RSA/ECDSA). This tool only decodes the header and payload for inspection. To verify a signature, use your backend library.

What is the difference between HS256 and RS256?

HS256 uses a shared HMAC secret — both issuer and verifier must know the same secret. RS256 uses RSA asymmetric keys — the issuer signs with a private key and anyone can verify with the public key. RS256 is better for multi-service architectures where you do not want to share a secret.

Can a JWT be tampered with?

The payload can be decoded and modified, but the signature will then be invalid. A server that properly verifies the signature will reject the tampered token. Never skip signature verification on the server side.

🔑

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) instantly. Free, private, no signup.

💻 Developer Tools Free Browser-based

Tool

Paste JWT token

JWT Structure Explained

A JWT (JSON Web Token) has three dot-separated parts, each independently Base64url-encoded: header.payload.signature. The payload is readable by anyone — it is encoded, not encrypted. Only the signature proves the token was issued by someone who knew the secret, and signature verification requires the key. This tool decodes the header and payload for inspection without needing the key.

Header — specifies the token type (JWT) and the signing algorithm (HS256, RS256, ES256, etc.).
Payload — contains claims: registered claims (iss, sub, exp, iat) and custom application claims.
Signature — the HMAC or RSA/ECDSA signature over the encoded header and payload. Verification requires the secret key or public key.

Common JWT Claims

Claim	Full name	Meaning
`iss`	Issuer	Who issued the token (e.g. your auth server URL)
`sub`	Subject	Who the token is about — usually a user ID
`aud`	Audience	Intended recipient — the API or service that should accept it
`exp`	Expiration	Unix timestamp when the token expires; reject tokens past this time
`iat`	Issued at	Unix timestamp when the token was created
`nbf`	Not before	Token must not be accepted before this time
`jti`	JWT ID	Unique identifier — used to prevent replay attacks

JWT vs Session Tokens

	JWT (stateless)	Session token (stateful)
Storage	Client stores the full token	Server stores session data; client has a session ID
Revocation	Difficult — token valid until expiry	Easy — delete session from the server
Scalability	Works across multiple servers without shared state	Requires shared session store (Redis, DB) for multiple servers
Payload size	Grows with every claim added	Fixed — just a session ID string

JWT Security Best Practices

Set a short expiry (exp) — access tokens should typically expire in 15–60 minutes. Use refresh tokens for longer sessions.
Never put sensitive data in the payload — the payload is Base64-encoded, not encrypted. Anyone with the token can read it.
Verify the signature server-side — never trust a JWT that has not been verified against the secret or public key.
Use HTTPS always — a JWT in an HTTP request is exposed to anyone who can intercept the connection.
Reject the alg: none attack — ensure your library does not accept tokens with the algorithm set to none.

JWT Decoder

JWT Structure Explained

Common JWT Claims

JWT vs Session Tokens

JWT Security Best Practices

Frequently Asked Questions