JWT Decoder Online
Decode JWT tokens and inspect header, payload, and signature. Check token expiration and validate claims.
Key Features
🔍 Full Token Inspection
Decode and view header, payload, and signature separately with color coding.
⏰ Expiration Check
Automatic validation of token expiration and issuance time with visual indicators.
🛠️ JWT Encoder
Create and sign JWT tokens with multiple algorithms (HS256, HS384, HS512).
🔒 Privacy Protected
Your data never leaves your browser. No server storage.
Frequently Asked Questions
Getting Started
What is a JWT token?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It's commonly used for authentication and information exchange. A JWT consists of three parts: Header, Payload, and Signature, separated by dots. The compact size and self-contained nature make JWT ideal for API authorization, single sign-on (SSO), and secure data transmission across different systems and programming languages.
Is this JWT decoder safe?
Yes, completely safe. This JWT decoder runs entirely in your browser using client-side JavaScript. Your tokens never leave your device or get uploaded to any server, ensuring complete privacy and security. All decoding, validation, and signature verification happens locally on your machine. You can safely decode tokens containing sensitive information without worrying about data leakage or third-party access.
How do I decode a JWT?
Simply paste your complete JWT token string into the input area and click the "Decode" button (or enable realtime mode for automatic decoding). The decoder will automatically parse the token, split it into Header, Payload, and Signature sections, and display each part with syntax-highlighted JSON formatting. It also validates the token structure, checks expiration times, and provides visual indicators for token status.
Understanding JWT Structure
What is the JWT header?
The JWT header is a JSON object that contains metadata about the token. It typically includes two fields: "alg" (the signing algorithm such as HS256, RS256, or ES256) and "typ" (the token type, usually "JWT"). The header is Base64Url encoded to form the first part of the JWT. Example: {"alg":"HS256","typ":"JWT"}. The algorithm specified determines how the signature is generated and verified.
What is the JWT payload?
The JWT payload contains the claims - statements about an entity (typically the user) and additional data. Common registered claims include: sub (subject/user ID), iat (issued at timestamp), exp (expiration timestamp), iss (issuer), aud (audience), and nbf (not before). You can also add custom public or private claims. The payload is Base64Url encoded to form the second part of the JWT, but note that it's encoded, not encrypted - anyone can decode and read it.
What is the JWT signature?
The JWT signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. It's created by taking the encoded header, the encoded payload, a secret key (for HMAC algorithms) or private key (for RSA/ECDSA), and signing them using the algorithm specified in the header. The signature ensures token integrity and authenticity - if anyone modifies the header or payload, the signature verification will fail.
Token Validation & Claims
How do I know if my token is expired?
This decoder automatically reads the "exp" (expiration time) and "nbf" (not before) claims from the payload and compares them with the current system time. If the current time exceeds the exp timestamp, the token is marked as expired with a red indicator showing how long ago it expired. If the current time is before the nbf timestamp, it shows the token is not yet valid. Valid tokens are highlighted in green with remaining validity time displayed.
What are common JWT claims?
Registered claims (standard): iss (issuer - who created the token), sub (subject - user identifier), aud (audience - intended recipient), exp (expiration time - UNIX timestamp), nbf (not before - token becomes valid), iat (issued at - creation timestamp), jti (JWT ID - unique identifier). Public claims: email, name, role, permissions, scope. Private claims: Custom claims agreed upon by parties using the JWT. All claims are optional except when required by your application logic.
Can I generate JWTs with this tool?
Yes! Switch to the "Encode" tab to create and sign JWT tokens. You can customize the header and payload JSON, select from multiple signing algorithms (HS256, HS384, HS512, or none), enter your secret key, and optionally add standard claims like exp (expiration) and iat (issued at). The tool provides quick-insert buttons for common claims and example payloads. This is perfect for testing, development, and debugging JWT-based authentication systems.
Security & Best Practices
Can someone steal my token?
While this tool doesn't store or transmit your tokens, JWTs themselves should be treated as sensitive credentials. Anyone who obtains your token can decode it and see its contents (since JWTs are encoded, not encrypted). They could potentially use it to impersonate you until it expires. Always transmit tokens over HTTPS, store them securely (HttpOnly cookies or memory, not localStorage), implement short expiration times, and use refresh token rotation to minimize exposure risk.
Should I validate the signature?
Absolutely yes for production use. Decoding only shows you the token contents but doesn't verify authenticity. An attacker could modify the payload (e.g., change user_id from 1 to 2) and re-encode it. Without signature validation, your server might accept this forged token. Always validate signatures on your backend using the secret key (for HMAC) or public key (for RSA/ECDSA). This decoder is primarily for debugging - never expose your signing keys client-side.