JWT Decoder
Decode and inspect JWT header, payload and expiry
Decode and inspect any JSON Web Token (JWT). View the header, payload, and expiry — and verify the signature with your secret or public key. All decoding runs locally in your browser.
What is a JWT?
A JSON Web Token is a compact, URL-safe token used for authentication and information exchange between parties. It consists of three dot-separated Base64-encoded parts: header, payload (claims), and signature.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.abc123signatureJWT parts
| Part | Contents | Purpose |
|---|---|---|
| Header | { "alg": "HS256", "typ": "JWT" } | Specifies signing algorithm and token type |
| Payload | { "sub": "123", "exp": 1700000000 } | Claims — data the token carries (user ID, expiry, etc.) |
| Signature | HMAC/RSA of header + payload | Proves the token has not been tampered with |
Common claims
- iss
- Issuer — who created the token
- sub
- Subject — usually the user ID
- aud
- Audience — intended recipient
- exp
- Expiry time (Unix timestamp)
- iat
- Issued at (Unix timestamp)
- jti
- Unique token ID (for revocation)
Frequently asked questions
Is it safe to paste my JWT here?
Yes. Decoding happens entirely in your browser. The token is never sent to any server, logged, or stored.
Can this tool verify the signature?
Yes. Paste your HMAC secret (for HS256/HS384/HS512) or RSA/ECDSA public key (for RS256/ES256) and the tool will verify if the signature is valid.
What does "token expired" mean?
The exp claim is a Unix timestamp. If it is in the past, the token has expired and will be rejected by most APIs. Check the current time in seconds with Math.floor(Date.now() / 1000).
Should I store JWTs in localStorage?
For web apps, httpOnly cookies are safer than localStorage because they are not accessible to JavaScript and thus immune to XSS attacks.