jwt-decoder
// paste jwt token
// client-side only — no network requests
About JWT Decoder
A JSON Web Token (JWT) consists of three Base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims and data), and the signature. This decoder splits and decodes the first two parts so you can read the contents without any server or library.
Paste any JWT and instantly see the decoded header and payload formatted as readable JSON. The decoder also highlights key claims: the expiration time (exp), issued-at time (iat), not-before time (nbf), and audience (aud) — with human-readable dates so you don't have to manually convert Unix timestamps.
This is useful when debugging authentication issues, verifying what claims a token contains, checking whether a token has expired, inspecting tokens from third-party services, or understanding how OAuth and OpenID Connect tokens are structured.
Important: this tool only decodes the token — it does not verify the signature. Signature verification requires the secret key and must be done server-side. Never trust a decoded JWT payload for authorization decisions without verifying the signature first.
Frequently Asked Questions
Is it safe to paste a JWT into an online decoder? ▾
This tool processes everything in your browser — no data is sent to any server. That said, JWTs often contain auth credentials. For production tokens, use browser devtools or a local CLI tool like jwt-cli. For debugging and learning, this tool is safe.
What does "signature not verified" mean? ▾
JWT signatures are verified using the secret key or public key that only the issuing server knows. This decoder can read the header and payload (which are just Base64url-encoded), but cannot verify the signature without the key. Always verify signatures server-side before trusting JWT claims.
What are the standard JWT claims? ▾
Standard registered claims include: iss (issuer), sub (subject — usually user ID), aud (audience), exp (expiration time as Unix timestamp), iat (issued at), nbf (not before), and jti (JWT ID for uniqueness). Any additional claims are custom.
What's the difference between HS256, RS256, and ES256 algorithms? ▾
HS256 is HMAC-SHA256 — symmetric, uses a shared secret. RS256 is RSA-SHA256 — asymmetric, uses a private key to sign and a public key to verify. ES256 is ECDSA-SHA256 — asymmetric like RS256 but with smaller keys and signatures. For public APIs, RS256 or ES256 are preferred since the public key can be shared without exposing the signing key.
How do I check if a JWT has expired? ▾
The exp claim is a Unix timestamp (seconds since epoch). Compare it to Math.floor(Date.now() / 1000). If exp < current time, the token is expired. This decoder shows the expiration as a human-readable date and flags expired tokens visually.