toolscoder.com

JWT Decoder

Paste a JWT token to decode and inspect its header, payload, and expiry — entirely in your browser. Signature verification is not performed.

✓ Token is not expired— expires Nov 20, 2286, 12:46:39 PM
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 9999999999
}
Signature
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signature is not verified — requires the secret or public key.

Frequently Asked Questions

Does this tool verify the JWT signature?+

No. Verifying a JWT signature requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms). This tool only decodes and displays the header and payload — it does not verify that the token is authentic or untampered. Never trust a token's claims based on decoding alone; always verify the signature server-side.

Is it safe to paste a JWT here?+

For non-production tokens or tokens that have already expired, decoding locally is safe — this tool runs entirely in your browser and sends nothing to a server. For live production tokens with sensitive claims (user IDs, roles, permissions), consider decoding in a private/incognito window, or use a local tool. Avoid pasting tokens that grant access to production systems.

What are the three parts of a JWT?+

A JWT has three Base64URL-encoded parts separated by dots. The header declares the signing algorithm (e.g. HS256, RS256) and token type (JWT). The payload contains the claims — standard ones like sub (subject), iat (issued at), and exp (expiry), plus any custom claims your application adds. The signature is computed from the header and payload using the secret or private key.

What does "iat" and "exp" mean?+

"iat" (issued at) is the Unix timestamp when the token was created. "exp" (expiration) is the Unix timestamp after which the token should be rejected. Both are in seconds since the Unix epoch (January 1, 1970 UTC). This tool converts them to a human-readable date and flags whether the token is currently expired.

Related Tools

Base64 Converter
Encode and decode text to and from Base64 format instantly.
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text instantly.
JSON Formatter
Format, validate, and minify JSON instantly in your browser.

How to use

  • Paste a JWT token into the input — header and payload decode instantly.
  • Expiry is checked automatically and flagged if the token is expired.
  • This tool decodes only — it does not verify the signature.