🪙

JWT Decoder

Inspect JWT tokens instantly

JWT Token

About JWT Decoder

A raw JWT looks like three random strings glued together with dots. This tool splits them apart and decodes each section so you can read the actual contents. Header shows the algorithm. Payload shows the claims — user ID, roles, issued-at, expiry. The signature stays encoded because verifying it requires the secret key, which you should not paste anywhere online. The expiry check is the most-used feature: if the `exp` claim is in the past, the token is flagged as expired so you do not have to do the Unix timestamp math yourself.

Common Use Cases

  • Checking what claims are actually inside a token during auth debugging
  • Verifying expiry when a request is unexpectedly rejected with 401
  • Inspecting the algorithm used when switching between HS256 and RS256
  • Understanding JWT structure when learning how auth flows work

Frequently Asked Questions

Is it safe to paste a JWT here?+
Decoding happens in the browser — nothing is sent to a server. That said, avoid pasting live production tokens with sensitive payloads into any online tool as a habit. Use test tokens.
Can this verify the signature?+
No. Signature verification requires the secret key, which should never leave your backend. This tool only decodes the Base64 header and payload — useful for inspection, not verification.
What does "EXPIRED" mean?+
The payload contains an exp claim (Unix timestamp). If the current time is past that value, the token is expired and any properly implemented server will reject it.
What is the difference between JWT and a session cookie?+
A session cookie stores an ID; the actual data lives server-side. A JWT is self-contained — the claims travel with the token. This makes JWTs useful for stateless auth across services but means you cannot invalidate them without extra infrastructure.