JWT Decoder

// decode header · inspect payload claims · check expiry · verify signature · nothing leaves your browser

json web token

paste a jwt token above

Header

Payload

Signature

standard claims

verify signature (HMAC only)

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID, roles, expiry), and a signature to verify the token hasn't been tampered with.

How to use this tool

Paste any JWT — it decodes instantly as you type
The colored preview shows header, payload, and signature sections
Standard claims like exp, iat, nbf are shown with human-readable times
Token expiry is checked automatically against the current time
Enter your HMAC secret to verify the signature locally

How JWT authentication works

JSON Web Tokens are the foundation of modern stateless authentication. When a user logs in, the server creates a JWT containing the user's identity and permissions, signs it with a secret key, and sends it to the client. The client stores this token (typically in localStorage or a cookie) and sends it with every subsequent request in the Authorization header.

The server can then verify the token's signature without consulting a database — it simply recomputes the signature using its secret key and checks it matches. This makes JWT-based auth highly scalable since there's no session store to query on every request. The token itself carries all the information needed to authenticate the user.

The three-part structure of a JWT (header.payload.signature) means the header and payload are readable by anyone — they're just Base64URL encoded, not encrypted. Only the signature requires the secret key to verify. Never store sensitive data like passwords in a JWT payload unless the token is encrypted (JWE).

JWT standard claims reference

sub (Subject) — Identifies the principal that is the subject of the JWT. Usually the user ID.

iss (Issuer) — Identifies the principal that issued the JWT — typically your auth server's URL.

aud (Audience) — Identifies the recipients the JWT is intended for. Your API should reject tokens not intended for it.

exp (Expiration) — Unix timestamp after which the token must not be accepted. Always set an expiry on JWTs.

iat (Issued At) — Unix timestamp when the JWT was issued. Useful for determining token age.

nbf (Not Before) — Unix timestamp before which the token must not be accepted.

Frequently Asked Questions

Is it safe to paste my JWT here?+

Yes — this tool runs entirely in your browser. Your token is never sent to any server. That said, treat JWTs like passwords: avoid pasting production tokens with sensitive user data into any online tool unless you absolutely need to. Use test tokens when possible.

What do the standard JWT claims mean?+

sub (subject) — who the token refers to. iss (issuer) — who created it. aud (audience) — who it's intended for. exp (expiry) — when it expires. iat (issued at) — when it was created. nbf (not before) — earliest valid time.

Why can't you verify RS256 or ES256 tokens?+

Asymmetric algorithms like RS256 and ES256 require a public key for verification — these are typically long PEM-encoded strings. This tool focuses on HMAC (HS256/HS384/HS512) verification with a simple secret. For asymmetric verification, you need the corresponding public key from your auth provider.

Can I decode a JWT without the secret?+

Yes. The header and payload of a JWT are just Base64URL-encoded — anyone can decode and read them without knowing the secret. The secret is only needed to verify the signature (proving the token hasn't been tampered with). Never put sensitive data in a JWT payload assuming it's private.

What does "token expired" mean?+

The exp claim is a Unix timestamp. When the current time passes that timestamp, the token is considered expired and should be rejected by your server. Most auth systems issue short-lived tokens (15 min to 1 hour) and use refresh tokens to get new ones.