Does the decoder verify the signature?

No. Decode only. Verifying requires the secret (HS256) or public (RS256/ES256) key from the issuer.

What is exp and why does it matter?

exp is the Unix timestamp when the token stops being valid. An expired JWT should be rejected by the server even with a correct signature.

Is it safe to paste my token here?

The decoder runs 100% in-browser (you can audit the code). Still, for high-value production tokens, run locally or use jwt.io carefully.

Can I decode an encrypted token (JWE)?

No. JWE (JSON Web Encryption) is different from signed JWT. You'd need the receiver's encryption key.

Live

No signup

JWT Decoder

Inspect JWT tokens.

JWT

Paste a JWT token. We decode in your browser — no server roundtrip.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

alg: HS256

typ: JWT

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1916239022
}

Expiration

Active

Sep 21, 2030, 4:37 PM

Signature

4Adcj3UFYzPUVaVF43FmMab6RlaQD8A9V8wFzzht-KQ

The signature is not verified here. To verify it you need the issuer's secret (HS256) or public (RS256/ES256) key.

How this tool works

A JWT (JSON Web Token, RFC 7519) is a compact token made of three dot-separated parts: header.payload.signature. Header and payload are Base64URL-encoded JSON; signature is an HMAC or asymmetric signature of header+payload.

This decoder inspects all three components in your browser, identifies the algorithm (HS256, RS256, ES256...), parses standard claims (iss, sub, exp, iat, aud) and warns if the token is expired. It does not verify the signature — that requires the server's secret key.

How to use it, step by step

1
Paste the JWT
Any full token with its three dot-separated parts.
2
Inspect claims
We show algorithm (alg), type (typ), issuer (iss), audience (aud), expiration (exp) and custom claims.
3
Copy parts
Header, payload and signature separately for debugging.

Common pitfalls

Never paste production JWTs into third-party online sites. This decoder is 100% client-side, but auditing the code first is good practice.
Decoding ≠ verifying. A JWT can be tampered with and still decode cleanly. Verification requires the secret or public key.
Algorithm <code>none</code>: historical vulnerability. If you see it, your auth lib is misconfigured.

Frequently asked questions

Does the decoder verify the signature?: No. Decode only. Verifying requires the secret (HS256) or public (RS256/ES256) key from the issuer.
What is exp and why does it matter?: exp is the Unix timestamp when the token stops being valid. An expired JWT should be rejected by the server even with a correct signature.
Is it safe to paste my token here?: The decoder runs 100% in-browser (you can audit the code). Still, for high-value production tokens, run locally or use jwt.io carefully.
Can I decode an encrypted token (JWE)?: No. JWE (JSON Web Encryption) is different from signed JWT. You'd need the receiver's encryption key.

Other tools in this category

Live

JSON Formatter

Open

Live

Base64 Encoder / Decoder

Open

Live

Regex Tester

Open

Live

Password Generator

Open

JWT Decoder

JWT

Header

Payload

Signature

How this tool works

How to use it, step by step

Paste the JWT

Inspect claims

Copy parts

Common pitfalls

Frequently asked questions

Other tools in this category

JSON Formatter

Base64 Encoder / Decoder

Regex Tester

Password Generator