JWT Decoder

Decode and inspect JSON Web Tokens instantly. View header, payload, claims, and signature details.

JWT Token

Paste a JWT token above to decode it instantly

Features

Everything you need to inspect and debug JSON Web Tokens.

Real-Time Decoding

Decode JWT tokens instantly as you type or paste. No button clicks needed with smart debounced parsing.

Expiration Analysis

Automatically detects token expiration from the exp claim and displays human-readable dates with expired status.

Claim Highlighting

Important JWT claims (iss, sub, aud, exp, iat, nbf) are highlighted for quick identification in the payload.

Expiration Tracking

Instantly see if a token is expired, when it was issued, and how long until it expires.

How It Works

Three simple steps to decode any JWT.

Paste Your Token

Paste your JWT token into the input field. The token should have three Base64URL-encoded parts separated by dots.

Instant Decode

The token is decoded in real-time, splitting the header, payload, and signature into clearly labeled sections.

Inspect & Copy

Review the decoded claims, check expiration status, and copy the formatted header or payload JSON with one click.

Related Tools

More developer tools to help with encoding, hashing, and debugging.

Hash Generator

Generate MD5, SHA-1, SHA-256 and other cryptographic hashes.

String Encoder

Encode and decode strings between Base64, Hex, Unicode and more.

JSON Formatter

Format, validate, and beautify JSON data with syntax highlighting.

Frequently Asked Questions

Common questions about JSON Web Tokens and this decoder.

A JWT is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are commonly used for authentication and authorization in web applications and APIs.

JWT claims are key-value pairs in the payload. Standard registered claims include: iss (issuer - who created the token), sub (subject - who the token is about), aud (audience - intended recipient), exp (expiration time), iat (issued at time), and nbf (not before - token is not valid before this time). All time values are Unix timestamps in seconds.

No. Tokens are decoded locally and never transmitted. This is important since JWTs often contain sensitive claims and session data.

No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms). This decoder shows the signature string and the algorithm used, but does not validate authenticity.