JWT Decoder
Paste a JSON Web Token to instantly decode and inspect its header, payload and claims. Shows expiry time in human-readable format and flags expired tokens. Runs in your browser — nothing is uploaded or sent to a server.
JWT Structure Explained
A JWT has three dot-separated parts, each Base64url-encoded:
- Header — specifies the token type (JWT) and the signing algorithm (HS256, RS256, etc.).
- Payload — contains claims: registered claims (iss, sub, exp, iat) and custom application claims.
- Signature — created by signing the encoded header and payload with a secret. Used to verify authenticity.
Common JWT Claims
| Claim | Meaning |
|---|---|
iss | Issuer — who issued the token |
sub | Subject — who the token is about (usually user ID) |
aud | Audience — intended recipient |
exp | Expiration — Unix timestamp when token expires |
iat | Issued at — Unix timestamp when token was created |
nbf | Not before — token not valid before this time |
jti | JWT ID — unique identifier for the token |
Security Notes
JWT payloads are encoded, not encrypted. Anyone who has the token can read the payload. Do not store sensitive data like passwords or secrets in JWT claims. For confidential payloads, use JWE (JSON Web Encryption) instead.
Frequently Asked Questions
What is a JWT?
A JSON Web Token is a compact URL-safe token representing claims between parties. It has three Base64-encoded parts: header, payload and signature.
Is it safe to decode a JWT?
Decoding only reads the header and payload. JWTs are encoded, not encrypted. Never paste a production JWT with sensitive claims into any online tool.
What does exp mean in a JWT?
The expiration time claim — a Unix timestamp when the token expires. The decoder converts it to a human-readable date.
Does this tool verify the JWT signature?
No. Verification requires the secret or public key. This tool only decodes for inspection.