How to Use JWT Decoder

Key Takeaways

No — decoding reads the header and payload by base64-decoding them, which anyone can do without the secret

The decoder runs 100% in your browser — no data is sent to any server

'exp' (expiration time) is a Unix timestamp after which the token is no longer valid

A JWT is structured as: Header

What is JWT Decoder?

JWT Decoder takes a JSON Web Token (JWT) and splits it into its three components — header, payload, and signature — then pretty-prints the JSON inside each part. Instantly read exp, iat, sub, and any custom claims without writing a single line of code.

Decoding a JWT is safe and requires no secret — the payload is just base64url-encoded JSON. Anyone with the token can decode it. Secrets are only needed to verify the signature.

JWT Structure

Header

Contains the token type (JWT) and signing algorithm (e.g. HS256, RS256). Base64url-encoded JSON.

Payload

The claims — who the token is for (sub), when it expires (exp), when it was issued (iat), and any custom data.

Signature

A cryptographic hash of the header + payload signed with the secret. Cannot be decoded — only verified.

Common JWT Claims

Claim	Name	Description
`sub`	Subject	Who the token identifies (user ID)
`iss`	Issuer	Who issued the token (auth server URL)
`aud`	Audience	Who should accept the token
`exp`	Expiration	Unix timestamp when the token expires
`iat`	Issued At	Unix timestamp when it was created
`nbf`	Not Before	Token is invalid before this timestamp
`jti`	JWT ID	Unique identifier for the token

Paste the JWT

Paste your full JWT string (eyJ... format) into the input field.

→

See all three parts

Header, payload, and signature panels appear instantly with formatted JSON.

→

Check expiry

The exp claim is shown as a human-readable datetime with a 'Expired' or 'Valid' status badge.

→

Copy any section

Each panel has a copy button to extract just the header or payload JSON.

Tips & Common Mistakes

Use this for debugging auth flows. When a request returns 401, paste the token here to check: Is it expired? Does the aud claim match your API? Is the sub the right user ID?

Don’t confuse decoding with verification. A decoded token shows you the claims, but it doesn’t prove the token is authentic or untampered. Always verify signatures server-side using your auth library.

Watch out for clock skew on exp. If a token appears expired but should still be valid, check that your server’s clock is synchronized (NTP). A 2-minute clock difference can cause valid tokens to appear expired.

JWT Generator — create signed JWT tokens for testing
Base64 Encoder — manually decode/encode base64url strings
Epoch Converter — convert exp/iat Unix timestamps to readable dates

Frequently Asked Questions

Does decoding a JWT verify its signature?

No — decoding reads the header and payload by base64-decoding them, which anyone can do without the secret. Verification checks that the signature matches, which requires the secret key. This tool decodes only.

Is it safe to paste a JWT token here?

The decoder runs 100% in your browser — no data is sent to any server. That said, treat JWTs as sensitive credentials. Avoid pasting production access tokens into any online tool.

What is the 'exp' claim?

'exp' (expiration time) is a Unix timestamp after which the token is no longer valid. The decoder shows it as a human-readable datetime so you can immediately see if a token has expired.

Why does my JWT have three parts separated by dots?

A JWT is structured as: Header.Payload.Signature — each part is base64url-encoded. The header describes the algorithm, the payload contains the claims, the signature proves authenticity.

AI Text Summarizer

Go Premium