Did you find this tool helpful?

JWT Token Decoder

Decode, inspect and validate JSON Web Tokens instantly

Advanced JWT Decoding Features

Detailed Token Analysis

View decoded header and payload with syntax highlighting for easy reading of claims and metadata.

Expiration Check

Automatically detects and displays token expiration status based on 'exp' claim.

Signature Verification

Verify token signatures with your secret key to ensure token authenticity.

What Is a JWT Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between two parties as a compact, URL-safe string. JWTs are widely used for authentication and authorisation in modern web applications — when you log in to a website or API, the server typically issues a JWT that your browser or app sends back with each subsequent request to prove your identity.

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims — data like user ID, roles, and expiry), and the Signature (a hash that verifies the token hasn't been tampered with). This tool decodes and displays all three parts in a human-readable format.

How to Decode a JWT Token

  1. Paste your token — copy a JWT token from your browser's developer tools, an API response, or your application logs, and paste it into the input field.
  2. View the decoded parts — the tool automatically decodes the header, payload, and signature sections and displays them as formatted JSON with syntax highlighting.
  3. Check expiry and claims — the payload section shows standard claims like exp (expiry time), iat (issued at), sub (subject/user ID), and any custom claims your application includes.
  4. Verify the signature — use the Verify tab to test the signature against a known secret or public key to confirm the token is authentic and unmodified.

Common JWT Claims Explained

JWT payloads typically contain standardised claims: iss (issuer — who created the token), sub (subject — who the token represents, usually a user ID), aud (audience — who the token is intended for), exp (expiration time as a Unix timestamp), iat (issued-at time), and jti (JWT ID for uniqueness). Beyond these, applications can include any custom claims they need, such as user roles, permissions, or feature flags.

Frequently Asked Questions

Is it safe to paste my JWT token here?

All decoding happens entirely in your browser using JavaScript. Your token is never sent to any server. That said, JWT payloads are only Base64-encoded (not encrypted) — anyone with the token can decode the payload. Never share tokens that contain sensitive data in public or untrusted environments.

Can I edit the payload and re-encode a token?

This tool is a decoder and inspector — it does not re-sign tokens. If you modify the payload and re-encode without the original signing secret, the signature will be invalid and the server will reject the token. Modifying tokens without authorisation may also violate your application's security policies.

What signing algorithms are supported?

The decoder displays the algorithm from the token header (e.g. HS256, HS384, HS512, RS256, RS384, RS512, ES256). Signature verification supports HMAC algorithms (HS256/384/512) with a secret key, and RSA algorithms (RS256/384/512) with a public key.

Why does my token show as expired?

The exp claim in the JWT payload is a Unix timestamp. If that timestamp is in the past relative to the current time, the token has expired. Servers check this claim and reject expired tokens. You need to obtain a fresh token by logging in again or using a refresh token.