Your data is never sent to a server or stored anywhere. All processing happens in your browser.

JWT Decoder — Inspect Headers, Claims & Expiry

Sample JWTs Click to load a sample (signatures are not verified)
Header 
 
 
Payload     
 
 
Signature 
 
 
How to Use
 
 
Paste a JWT token into the input field. The tool instantly decodes and displays the header (algorithm and type), payload (claims and data), and signature. Expiry status is automatically checked against the current time.
 
What Is a JWT
 
 
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: header (algorithm metadata), payload (claims like user ID, expiry, issuer), and signature (cryptographic verification). JWTs are widely used in OAuth 2.0, OpenID Connect, and API authentication.
 
Standard JWT Claims
 
 
  • sub (Subject) — a unique identifier for the token's subject, typically a user ID
  • iss (Issuer) — identifies the server or service that issued the token
  • exp (Expiration Time) — the Unix timestamp after which the token is no longer valid
  • iat (Issued At) — the Unix timestamp when the token was created
  • nbf (Not Before) — the token must not be accepted before this Unix timestamp
  • aud (Audience) — the intended recipient service or application for the token
  • jti (JWT ID) — a unique identifier for the token, used to prevent token replay
 
Privacy & Security
 
 
All decoding happens entirely in your browser. Your token is never sent to a server, stored, or logged. Note: this tool only decodes tokens — it does not verify signatures. Never paste production tokens containing sensitive data into untrusted online tools.
 
FAQ
 
 
Does this tool verify the JWT signature?
 
No, it only decodes the token. Signature verification (HS256, RS256, etc.) requires the secret or public key and should happen server-side or in a library that has access to those keys.
Is it safe to paste a production JWT here?
 
All decoding happens entirely in your browser and the token is never sent anywhere. As a general rule, though, avoid pasting production tokens into any untrusted online tool — use test tokens when possible.
Why does my token show as 'valid' when its exp is in the past?
 
The tool compares exp against your local browser clock. If your system time is off, or if the server allows clock-skew tolerance, the actual server-side validity may differ from what is shown here.
What algorithms can appear in the alg header?
 
Common values are HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA-SHA256). alg: "none" indicates an unsigned token and should be rejected for security. This tool displays alg but does not verify it.
Is a JWT the same as an OAuth access token?
 
Related but not identical. JWT is a token format spec; OAuth is a framework for issuing and using tokens. OAuth 2.0 often uses JWTs as access tokens, but tokens can also be opaque random strings.