JWT Decoder

Decode and inspect JWT tokens instantly in the browser — view header, payload claims, expiry status, and signature without sending data to a server.

jwt json web token decode header payload claims expiry base64 auth token
Free Client-Side Private
JWT Token
🔒 This tool runs entirely in your browser — your files are never uploaded to any server.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties. A JWT consists of three Base64url-encoded parts separated by dots: a Header, a Payload, and a Signature.

How to Use

  1. Paste your JWT token into the input field — or click Sample to load an example token.
  2. The tool instantly decodes and displays the Header and Payload as formatted JSON.
  3. Any timestamp claims (exp, iat, nbf) are shown as human-readable dates with a validity badge.
  4. The raw Signature is displayed for reference — use Copy to grab any section.

Token Structure

  • Header — contains the token type (typ) and signing algorithm (alg), e.g. HS256 or RS256.
  • Payload — contains the claims: the subject, issuer, expiry time, and any custom data.
  • Signature — a cryptographic hash of the header and payload, used to verify integrity.

Standard Claims

  • sub — Subject: the entity the token refers to (usually a user ID)
  • iss — Issuer: the service that issued the token
  • aud — Audience: the intended recipient of the token
  • exp — Expires At: Unix timestamp after which the token is no longer valid
  • iat — Issued At: Unix timestamp when the token was created
  • nbf — Not Before: Unix timestamp before which the token must not be accepted
  • jti — JWT ID: unique identifier for the token

FAQ

Is my token sent to a server?

No. All decoding happens entirely in your browser using JavaScript. No token data is transmitted anywhere. This tool is safe to use with real tokens.

Can this tool verify the signature?

No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). This tool only decodes the Base64url-encoded header and payload — it does not validate the signature cryptographically.

Why does my token show as "Expired"?

The exp claim holds a Unix timestamp. If that timestamp is in the past relative to your local clock, the token is considered expired. This is a display-only check and does not verify the signature.

What does Base64url mean?

Base64url is a variant of standard Base64 encoding that uses - instead of + and _ instead of /, and omits padding characters. It makes the token safe to use in URLs and HTTP headers without percent-encoding.

Can I decode any JWT regardless of algorithm?

Yes. The header and payload are always Base64url-encoded JSON regardless of the signing algorithm. This tool decodes them without needing to know the algorithm or key.

Report an issue