JWT Decoder
Decode and inspect JSON Web Tokens, view claims, and check expiration.
Why I Built This JWT Decoder
I spend way too much time debugging authentication issues. Half the time, the problem is buried somewhere in a JWT payload - wrong audience claim, expired token, missing permissions. This decoder lets me paste a token and instantly see what's inside without reaching for my terminal.
The killer feature for me is the automatic timestamp conversion. Staring at Unix timestamps like 1709251200 and trying to figure out if that's expired? No thanks. The tool shows human-readable dates and tells me exactly how much time is left.
What I Actually Use This For
- Header Decoding - Checking which algorithm was used (RS256 vs HS256 mix-ups happen)
- Payload Decoding - Finding that one claim that's causing auth failures
- Claims Breakdown - Understanding what custom claims actually contain
- Expiry Check - That visual indicator has saved me hours of debugging
- Timestamp Conversion - Because no one can read Unix timestamps at a glance
- Copy Support - Grabbing specific parts for bug reports or Slack messages
I pair this with the Unix Timestamp Converter when I need to calculate exact expiration times and the Base64 Encoderwhen I'm manually testing payload modifications.
JWT Structure - The Quick Version
Every JWT is three base64-encoded parts separated by dots. I remember it as "header tells you how, payload tells you what, signature proves it's real."
header.payload.signature xxxxx.yyyyy.zzzzz
JWTs are formally specified in RFC 7519.
Header
Contains the algorithm and token type. I've debugged so many issues where someone was expecting RS256 but the token was signed with HS256.
Payload
The actual data - user info, permissions, expiration. Here are the standard claims you'll see in most tokens:
iss(Issuer) - Who created this tokensub(Subject) - Usually the user IDaud(Audience) - Who should accept this tokenexp(Expiration) - When it expiresiat(Issued At) - When it was creatednbf(Not Before) - Can't use it before this time
Signature
The cryptographic proof that the token hasn't been tampered with. This is why you can decode but can't modify a JWT without breaking it.
Related Articles
- Understanding JWT Claims and Best Practices for Secure Token Authentication
- JWT Tokens Explained - Authentication for Modern Web Apps
- Debugging APIs with Base64 and JWT Decoding
Frequently Asked Questions
Is my JWT secure when using this tool?
Everything runs locally in your browser. I wouldn't trust my JWTs to a random server, and neither should you. That said, remember that JWTs are only encoded, not encrypted - anyone with the token can decode the payload without needing the secret key.
Does this tool verify JWT signatures?
No, and for good reason. Signature verification requires the secret key or public key, which you should never paste into a web tool. Always verify signatures on your own server with proper key management.
Why is my token showing as expired?
The tool compares the exp claim to your current local time. If it's showing expired, the exp timestamp is in the past. Check if your server's clock is synchronized - I've seen "expired" tokens that were actually fine, just issued by a server with a clock skew.