JWT Decoder
Paste a JSON Web Token below to decode its header and payload.
About JWT Decoder
JSON Web Tokens (JWTs) are a compact, URL-safe way to represent claims between two parties. This free online decoder lets you inspect the header and payload of any JWT instantly in your browser. It displays the algorithm, token type, all payload claims, and highlights expiration status. No data is sent to any server — decoding happens entirely client-side.
How to Use
- Paste your JWT token into the input field. It should have three parts separated by dots.
- Click Decode to parse the header and payload.
- Review the decoded header for algorithm and type information, and the payload for all claims.
- Check the expiry badge to see if the token is still valid or has expired.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact token format used to securely transmit information between parties. It consists of three Base64URL-encoded parts: a header, a payload, and a signature, separated by dots.
Does this tool verify JWT signatures?
No. This tool only decodes the header and payload for inspection. Signature verification requires the secret key or public key, which should never be shared in a browser tool. Use a backend library for signature verification.
What do the "exp" and "iat" claims mean?
The exp (expiration time) claim indicates when the token expires, as a Unix timestamp. The iat (issued at) claim indicates when the token was created. Both are measured in seconds since January 1, 1970 UTC.
Is it safe to paste my JWT here?
All decoding happens entirely in your browser. No data is sent to any server. However, JWTs may contain sensitive claims, so avoid sharing tokens from production systems in any untrusted environment.
Why does my JWT show as expired?
The expiry check compares the expclaim against your browser's current time. If the token's expiration timestamp is in the past, it will show as expired. Make sure your system clock is accurate.