JWT Decoder — Decode JSON Web Tokens Online
Paste a JWT token to decode the header, payload, and signature instantly. Check token expiration in real time.
How to jwt decoder
- 1Paste your JWT token into the text area
- 2View the decoded header and payload as formatted JSON
- 3Check the expiration status if the token contains an exp claim
- 4Click copy buttons to copy individual sections
About This Tool
A JSON Web Token (JWT) is a compact, URL-safe format used to represent claims between two parties. JWTs are widely used for authentication, session management, and information exchange in modern web applications. Each token consists of three Base64URL-encoded parts separated by dots: header, payload, and signature.
This JWT decoder splits the token and decodes the header and payload sections,
displaying the JSON contents with proper formatting. It color-codes the three sections so you
can easily identify which part is which. If the payload contains an exp (expiration)
claim, the tool shows whether the token has expired.
Note: this tool only decodes the token. It does not verify the signature, which would require the signing secret or public key. For security-sensitive verification, use your backend JWT library. All decoding happens locally in your browser and no token data is transmitted.
Frequently Asked Questions
No. Signature verification requires the signing secret (for HMAC) or the public key (for RSA/EC). This tool only decodes and displays the header and payload. Never rely on decoded data without server-side verification.
Yes. All decoding happens locally in your browser using JavaScript. Your token is never sent to any server. However, avoid sharing tokens in general as they may grant access to resources.
The tool displays all claims present in the payload, including standard claims like iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before), as well as any custom claims.
The exp claim is a Unix timestamp representing when the token expires. If the current time is past that timestamp, the tool marks it as expired. Short-lived tokens (e.g., 15 minutes) are common in OAuth flows.