JWT Decoder: Inspect Tokens Instantly
Paste a JSON Web Token to decode its header and payload, check expiration status, and inspect individual claims. Everything runs in your browser. Your token is never transmitted anywhere.
How to Use
- Paste your JWT into the input field (it starts with
eyJ) - Review the header to see the signing algorithm (HS256, RS256, etc.) and token type
- Inspect the payload for claims like subject, issuer, expiration, and custom fields
- Check the expiry banner to see if the token is still valid or when it expired
- Copy individual sections using the Copy buttons on each panel
Understanding JWT Structure
A JWT is three Base64URL-encoded segments separated by dots: header.payload.signature. The header declares the algorithm used for signing. The payload carries the claims: standardized fields like iss (issuer), sub (subject), exp (expiration), and iat (issued at), plus any custom claims your application adds. The signature is computed over the header and payload using the algorithm specified in the header.
Tokens are not encrypted by default. Anyone who intercepts a JWT can read the header and payload. The signature only guarantees integrity, confirming that the token was created by someone with the signing key and hasn’t been modified since.
Standard Claims
- iss (Issuer): who created the token (e.g.,
auth.example.com) - sub (Subject): the user or entity the token represents
- aud (Audience): the intended recipient (your API, a service)
- exp (Expiration): Unix timestamp when the token becomes invalid
- iat (Issued At): Unix timestamp when the token was created
- nbf (Not Before): Unix timestamp before which the token is not valid
- jti (JWT ID): a unique identifier for the token, useful for revocation
Need to convert the exp or iat timestamps to a readable date? Use the Unix Timestamp Converter. Want to examine the decoded JSON more closely? Paste it into the JSON Formatter.