JWT Decoder: Inspect JSON Web Tokens Instantly

JSON Web Tokens (JWTs) are the backbone of modern authentication. Every time you log in to a web app, there's a good chance a JWT is being issued and validated behind the scenes. Understanding what's inside a token — without having to decode it manually — is an essential skill for any developer.

What Is a JWT?

A JWT is a compact, URL-safe token that encodes a JSON object. It's commonly used to prove that a user is authenticated, to pass user roles and permissions between services, and to validate API requests. The token itself is not secret — it's Base64-encoded, not encrypted — which means anyone who has the token can read its contents. The security comes from the signature, which ensures the token hasn't been tampered with.

The Three Parts of a JWT

A JWT looks like three Base64url-encoded strings separated by dots: xxxxx.yyyyy.zzzzz. Each part serves a distinct purpose.

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Declares the token type (JWT) and the signing algorithm used (e.g. HS256, RS256). Always the first segment.

Payload

eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzE2MjM5MDIyfQ

Contains the claims — statements about the user and any additional data. This is what your application reads. It is Base64-encoded, not encrypted.

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The HMAC or RSA signature of the header and payload. Verifying it requires the secret key — your decoder can only display it, not verify it without the key.

Common JWT Claims

The JWT specification defines several registered claimsthat have well-known meanings. You'll encounter these in almost every token you decode.

sub

Subject — the user ID or entity the token represents

iss

Issuer — the service that created the token (e.g. auth.myapp.com)

aud

Audience — which service(s) should accept this token

exp

Expiration time — Unix timestamp after which the token is invalid

iat

Issued at — Unix timestamp of when the token was created

nbf

Not before — token is invalid before this timestamp

Token Expiry: Why exp Matters

The exp claim is a Unix timestamp (seconds since January 1 1970). When a server validates a token, it checks that the current time is before this value. If the token is expired, the request is rejected. A good JWT decoder converts this timestamp to a human-readable date so you can instantly see if a token has expired — useful when debugging authentication failures.

Security note

Never paste real production tokens into any online tool — including this one. A JWT containing a valid session can be replayed by anyone who has it. For debugging, use tokens from a local dev environment, tokens you've already revoked, or tokens with very short expiry times. Our decoder runs entirely in your browser and sends nothing to a server, but the habit of protecting real tokens is worth keeping.

How to Use the JWT Decoder

Paste your token

Copy any JWT string (the three-part dotted format) and paste it into the input field.

Inspect each section

The tool splits and decodes all three parts instantly — header algorithm, payload claims, and the raw signature.

Check expiry

Any exp or iat timestamps are automatically converted to readable dates so you can see exactly when the token was issued and when it expires.

Decode a JWT token now

Header · Payload · Claims · Expiry · Free · No sign-up

Open JWT Decoder →