JWT

JWT Decoder & Inspector

Decode header, payload, claims and expiry

Decode and inspect JWT tokens instantly — no data sent anywhere. View the full header, payload claims, signature algorithm, issued-at and expiration date in a formatted table. Free online JWT decoder for developers.

TOKEN JWT

// quick guide

A JSON Web Token (JWT, pronounced 'jot') is a compact, URL-safe token format defined by RFC 7519. It is the standard mechanism for stateless authentication in REST APIs — a server issues a signed token, and the client presents that token on every subsequent request. The server verifies the signature and trusts the claims inside without consulting a session database.

Structure of a JWT: Every JWT has exactly three segments separated by dots, each Base64url-encoded: header.payload.signature.

The Header is a JSON object declaring the token type ("JWT") and the signing algorithm, such as HS256 (HMAC-SHA256) or RS256 (RSA with SHA-256).
The Payload contains "claims" — key-value pairs about the user or session. Standard claims include sub (subject/user ID), iss (issuer), exp (expiration as a UNIX timestamp), and iat (issued-at time). Custom claims can carry roles, permissions, or any application-specific data.
The Signature is computed from the header and payload using the algorithm and key. It guarantees that the token was not modified after it was issued.

How to use this tool:

Paste your JWT (which always starts with eyJ — the Base64url encoding of {") into the input field.
The decoder immediately splits the token, decodes each section, and presents the header and payload as formatted JSON.
The exp and iat timestamps are converted from UNIX epoch to local date and time, and the tool shows whether the token is currently active or expired.
The signature segment is displayed but cannot be verified without the signing key — see the FAQ below.

Because JWT payloads are only Base64url-encoded (not encrypted), anyone who holds the token can read its contents. Never put sensitive data like passwords in a JWT payload. The security guarantee is only that the payload cannot be tampered with — not that it is confidential.

// frequently asked questions

How is a JWT structured?

A JSON Web Token consists of three parts separated by dots (.): Header, Payload, and Signature. The Header contains the token type and signing algorithm. The Payload contains the claims (data about the user or token). The Signature is used to verify that the sender is who they say they are.

Is it safe to paste my JWTs here?

Yes, because our JWT decoder runs entirely on the client side. The token is parsed using JavaScript in your browser, and no network requests are made. Your sensitive authentication credentials never leave your device.

Can this tool verify my JWT's signature?

No, this tool only decodes and displays the payload claims and metadata. Signature verification requires the secret or public key associated with the token generator, which should never be shared with online tools for security reasons.

What is the difference between HS256 and RS256?

HS256 (HMAC-SHA256) is a symmetric algorithm — the same secret key is used for both signing and verification. RS256 (RSA-SHA256) is asymmetric — a private key signs the token, and a corresponding public key verifies it. RS256 is preferred in distributed systems where multiple services need to verify tokens without sharing a secret.

Why do JWTs expire and how do I refresh them?

The 'exp' claim defines a UNIX timestamp after which the token must be rejected. Short expiration times (15–60 minutes) limit the damage if a token is stolen. To avoid forcing users to log in repeatedly, most systems issue a long-lived refresh token alongside the short-lived JWT. When the JWT expires, the client uses the refresh token to obtain a new JWT silently.