Skip to main content
C
CodeUtil

JWT Decoder

Decode and inspect JSON Web Tokens, view claims, and check expiration.

Loading...

How to Use the JWT Decoder

Paste your JWT token into the input field. The decoder will automatically parse the token and display the header, payload, and signature. You'll also see a breakdown of all claims with timestamps converted to human-readable format.

Features

  • Header Decoding - View the algorithm and token type
  • Payload Decoding - See all claims and data in the token
  • Claims Breakdown - Standard claims are labeled and explained
  • Expiry Check - Visual indicator if token is valid, expiring soon, or expired
  • Timestamp Conversion - Unix timestamps are converted to readable dates
  • Copy Support - Copy individual parts to clipboard

Useful with the Unix Timestamp Converter for exp/iat checks and the Base64 Encoder for manual payload testing.

Understanding JWT Structure

A JWT consists of three parts separated by dots:

header.payload.signature

xxxxx.yyyyy.zzzzz

Header

Contains metadata about the token, including the signing algorithm (alg) and token type (typ).

Payload

Contains the claims - statements about the user and additional metadata. Standard claims include:

  • iss (Issuer) - Who issued the token
  • sub (Subject) - The subject of the token (usually user ID)
  • aud (Audience) - Intended recipient of the token
  • exp (Expiration) - When the token expires
  • iat (Issued At) - When the token was issued
  • nbf (Not Before) - Token is not valid before this time

Signature

Used to verify the token hasn't been tampered with. Created by signing the header and payload with a secret key.

Frequently Asked Questions

Is my JWT secure when using this tool?

Yes! All decoding happens entirely in your browser. Your JWT is never sent to any server. However, remember that JWTs are only encoded, not encrypted - anyone can decode the payload without the secret key.

Does this tool verify JWT signatures?

No, this tool only decodes JWTs. Signature verification requires the secret key or public key, which should never be shared. Always verify JWTs on your server.

Why is my token showing as expired?

The expiration status is based on the exp claim compared to your current local time. If the token shows as expired, the exp timestamp is in the past.

Related Tools

TimestampBase64JSONRegexCronURL