A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: Header (algorithm info), Payload (claims/data), and Signature (verification). JWTs are commonly used for authentication, authorization, and information exchange in web APIs.

How do I decode a JWT token?

Paste your JWT token into our decoder and it instantly splits it into header, payload, and signature. Each part is Base64URL-decoded and displayed as formatted JSON. You can see all claims, timestamps (converted to readable dates), and algorithm information. Our tool works entirely in your browser — your token is never sent to any server.

Is it safe to decode JWT tokens online?

Our JWT decoder processes everything client-side in your browser using JavaScript. Your token is never transmitted to any server. However, remember that JWT payloads are only Base64-encoded (not encrypted), so anyone with the token can read the payload. Never put sensitive data in JWT payloads.

What are standard JWT claims?

Standard (registered) JWT claims include: 'iss' (issuer), 'sub' (subject), 'aud' (audience), 'exp' (expiration time), 'nbf' (not before), 'iat' (issued at), and 'jti' (JWT ID). These are predefined by the JWT specification (RFC 7519). Applications can also define custom claims for their specific needs.

What JWT algorithms are supported?

Common JWT signing algorithms include: HMAC-based (HS256, HS384, HS512) using shared secrets, RSA-based (RS256, RS384, RS512) using public/private key pairs, ECDSA-based (ES256, ES384, ES512) for smaller keys, and PSS-based (PS256, PS384, PS512). Our decoder identifies the algorithm from the header.

How do I check if a JWT is expired?

Our decoder automatically checks the 'exp' (expiration) claim and shows whether the token is currently valid or expired. It converts Unix timestamps to human-readable dates and shows time remaining or time since expiration. The 'iat' (issued at) timestamp shows when the token was created.

JWT Decoder

Our JWT decoder parses JSON Web Tokens and displays the header, payload, and signature in a clear, formatted view. See all standard claims (iss, sub, aud, exp, iat, nbf, jti) with human-readable timestamps. Check if tokens are expired, view algorithm information, and copy individual sections. Supports HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, and PS256 algorithms. 100% client-side — your tokens are never sent to any server.

star 4.9 (2,000 ratings)

calendar_today Updated: April 2026

auto_awesome AI Insights AI

New

JWT Token

auto_awesome AI Analysis

JWT Analysis:

Algorithm: Check header for signing algorithm
Claims: Review payload for exp, iat, sub claims

Tip: JWTs are encoded, NOT encrypted — never store secrets in them.

lightbulb Tips

•JWT = Header.Payload.Signature (3 parts)
•Payloads are encoded, NOT encrypted
•Always check 'exp' claim for expiration
•RS256 is more secure than HS256 for APIs

How to Use This Calculator

content_paste

Paste Token

Paste your JWT token (the long string with two dots) into the input field.

code

View Header

See the algorithm and token type from the JWT header.

visibility

Inspect Payload

View all claims including timestamps, subject, issuer, and custom data.

schedule

Check Expiration

See if the token is expired and when it was issued.

The Formula

A JWT consists of three Base64URL-encoded parts separated by dots. The Header specifies the signing algorithm (e.g., HS256, RS256). The Payload contains claims — registered claims like 'exp' (expiration), 'iat' (issued at), 'sub' (subject), and custom claims. The Signature is created by signing the encoded header and payload with a secret key or private key.

JWT = Base64URL(Header) + '.' + Base64URL(Payload) + '.' + Signature

lightbulb Variables Explained

Header JSON object with algorithm (alg) and token type (typ)
Payload JSON object containing claims (data) like sub, exp, iat
Signature HMAC or RSA signature of header + payload for verification
Base64URL URL-safe Base64 encoding (- instead of +, _ instead of /)

tips_and_updates Pro Tips

JWT tokens are NOT encrypted — anyone can read the payload by Base64-decoding it

Always check the 'exp' claim — expired tokens should be rejected by your API

The 'iat' (issued at) and 'nbf' (not before) claims help prevent token replay attacks

HS256 uses a shared secret; RS256 uses public/private key pairs — RS256 is more secure for distributed systems

Never store sensitive data (passwords, credit cards) in JWT payloads

Token size matters — JWTs are sent with every HTTP request in the Authorization header

Use short expiration times (15-60 min) with refresh tokens for better security

Decode & Inspect JWT Tokens Online

Our free JWT decoder parses JSON Web Tokens and displays the header, payload, and signature in a clear, formatted view. Check expiration times, view all claims, and inspect token details. 100% client-side — your tokens never leave your browser.

JWT Token Decoder - View Header & Payload

Paste any JWT token and instantly see its decoded header and payload as formatted JSON. Our decoder identifies the signing algorithm, displays all standard and custom claims, and converts Unix timestamps to human-readable dates. Color-coded display makes it easy to distinguish the three JWT parts.

JWT Debugger - Check Expiration & Claims

Debug JWT issues by checking expiration times, issued-at timestamps, and claim values. Our tool shows whether tokens are expired, how long until expiration, and highlights potential issues. Essential for API development, authentication debugging, and security auditing.

Frequently Asked Questions

Related Tools

View all General View all arrow_forward

widgets