JWT Decoder — Decode JSON Web Tokens
Decode and inspect JSON Web Tokens — header, payload, expiry, algorithm — entirely client-side. Your token never leaves the browser.
What Is a JWT Token?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It is the most widely used token format in modern web authentication — used by OAuth 2.0, OpenID Connect, and virtually every major API that requires authentication.
A JWT has three parts separated by dots (header.payload.signature):
- Header: Algorithm used to sign the token (HS256, RS256, etc.) and token type
- Payload: Claims — user ID, email, roles, expiry time, and any custom data
- Signature: Cryptographic proof that the token was not tampered with (requires the secret key to verify)
Why Use a JWT Decoder?
Debugging Authentication Issues
When your API returns 401 Unauthorized, paste the JWT from your request headers here to instantly see whether the token has expired, whether the user ID is correct, or whether required claims like roles or permissions are present.
Understanding Third-Party Tokens
OAuth tokens from Google, GitHub, Auth0, Firebase, or Supabase are JWTs. Decode them to understand exactly what data your application is receiving and what claims are available for your authorization logic.
Checking Token Expiry
JWTs carry an exp claim with the Unix timestamp of when the token expires. This decoder converts it to a readable date and tells you immediately whether the token is still valid or has expired.
Common JWT Payload Claims Explained
| Claim | Full Name | Meaning |
|---|---|---|
| sub | Subject | User identifier (usually user ID) |
| iat | Issued At | Unix timestamp when token was created |
| exp | Expiration Time | Unix timestamp when token expires |
| nbf | Not Before | Token not valid before this timestamp |
| iss | Issuer | Who issued the token (e.g., auth.myapp.com) |
| aud | Audience | Who the token is intended for |
Frequently Asked Questions
Is it safe to decode my JWT token in this tool?
Yes. All decoding happens in your browser — no token is transmitted to any server. The JWT payload section is just Base64URL-encoded and contains no sensitive cryptographic data. However, avoid pasting tokens with admin privileges in any online tool if you can validate offline.
What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit claims between parties. It has three parts separated by dots: header (algorithm), payload (claims like user ID and expiry), and signature (cryptographic verification).
Can this tool verify JWT signatures?
No — and by design. Verifying a signature requires the signing secret or public key, which you should never share with a third-party tool. This decoder shows only the header and payload without signature verification.
What is the difference between JWT and session cookies?
Session cookies store the session ID on the server; the server looks up the session for each request. JWTs are self-contained — the token itself holds the user data. This makes JWTs stateless and suitable for distributed systems and microservices.
What does the exp claim in a JWT mean?
The exp (expiration time) claim is a Unix timestamp indicating when the token expires. This decoder shows the exp value converted to a human-readable date and time, and flags whether the token is currently valid or expired.
What are the most common JWT payload claims?
Common registered claims: sub (subject/user ID), iat (issued at), exp (expiration), nbf (not before), iss (issuer), aud (audience). Custom claims vary by application but often include roles, email, and permissions.