JWT Decoder
Paste any JWT to decode the header and payload, inspect timestamps and optionally verify the HS256 signature — all without a library.
Free · No credit card · 50 credits/day
Structure of a JWT
Three Base64url segments separated by dots.
{"alg":"HS256","typ":"JWT"}
Algorithm and token type. Always readable without the secret.
{"user_id":123,"role":"admin","iat":1700000000,"exp":1700003600}
Claims — user data, roles, timestamps. Always readable without the secret.
HMAC-SHA256(header + "." + payload, secret)
Verifies the token was signed by someone who knows the secret and hasn't been tampered with.
Decoding vs verifying
🔍 Decoding
- No secret key needed
- Reads header algorithm and type
- Reads all payload claims
- Converts timestamps to readable dates
- Detects expired tokens
Good for: debugging, inspecting, logging.
✅ Verifying
- Requires the secret key
- Confirms token wasn't tampered with
- Confirms it was signed by a trusted issuer
- HS256 supported
- Constant-time comparison (no timing leak)
Required: on every server-side token check.
Standard JWT claims
Fields the decoder surfaces as human-readable values.
| Claim | Name | What it means |
|---|---|---|
| iss | Issuer | Who created and signed the token |
| sub | Subject | Who the token is about (usually a user ID) |
| aud | Audience | Who the token is intended for |
| exp | Expiration | Unix timestamp after which the token is invalid |
| nbf | Not Before | Unix timestamp before which the token is not valid |
| iat | Issued At | Unix timestamp when the token was created |
| jti | JWT ID | Unique identifier for this token (used to prevent replay) |
Don't paste live production JWTs
A JWT is a bearer token — whoever has it can use it. Pasting a live session token into any online tool means that tool has seen it. Use this tool with test tokens, expired tokens, or tokens that have been revoked. For production debugging, decode locally using your framework's JWT library.
Frequently asked questions
Related developer tools
More tools for tokens and encoding.
Decode a JWT now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →