All tools
Developer tools

JWT Decoder

Paste any JWT to decode the header and payload, inspect timestamps and optionally verify the HS256 signature — all without a library.

Decode without secret HS256 verification Expiry detection Human timestamps
Get started free Sign in

Free · No credit card · 50 credits/day

Structure of a JWT

Three Base64url segments separated by dots.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAzNjAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
{"alg":"HS256","typ":"JWT"}

Algorithm and token type. Always readable without the secret.

Payload
{"user_id":123,"role":"admin","iat":1700000000,"exp":1700003600}

Claims — user data, roles, timestamps. Always readable without the secret.

Signature
HMAC-SHA256(header + "." + payload, secret)

Verifies the token was signed by someone who knows the secret and hasn't been tampered with.

Decoding vs verifying

🔍 Decoding

  • No secret key needed
  • Reads header algorithm and type
  • Reads all payload claims
  • Converts timestamps to readable dates
  • Detects expired tokens

Good for: debugging, inspecting, logging.

✅ Verifying

  • Requires the secret key
  • Confirms token wasn't tampered with
  • Confirms it was signed by a trusted issuer
  • HS256 supported
  • Constant-time comparison (no timing leak)

Required: on every server-side token check.

Standard JWT claims

Fields the decoder surfaces as human-readable values.

Claim Name What it means
iss Issuer Who created and signed the token
sub Subject Who the token is about (usually a user ID)
aud Audience Who the token is intended for
exp Expiration Unix timestamp after which the token is invalid
nbf Not Before Unix timestamp before which the token is not valid
iat Issued At Unix timestamp when the token was created
jti JWT ID Unique identifier for this token (used to prevent replay)

Don't paste live production JWTs

A JWT is a bearer token — whoever has it can use it. Pasting a live session token into any online tool means that tool has seen it. Use this tool with test tokens, expired tokens, or tokens that have been revoked. For production debugging, decode locally using your framework's JWT library.

Frequently asked questions

Can I decode a JWT without the secret key?

Yes. The header and payload are Base64url-encoded, not encrypted. Anyone with the token string can decode and read the claims. The secret key is only needed to verify the signature — which proves the token was issued by a trusted party and hasn't been tampered with.

What is the difference between decoding and verifying a JWT?

Decoding reads the header and payload — no key needed. Verifying checks that the signature is valid, meaning the token was signed by someone who knows the secret and the payload hasn't been modified since signing. Always verify tokens server-side before trusting their claims.

What does an expired JWT mean?

A JWT with an exp claim in the past is expired. Servers should reject expired tokens. This tool detects expiry automatically — useful for debugging authentication failures where the token was valid when issued but has since expired.

Is it safe to paste my JWT into this tool?

For production tokens carrying live user sessions, avoid pasting them into any online tool. Use this tool for development and debugging — with test tokens, expired tokens, or tokens that have already been invalidated.

Related developer tools

More tools for tokens and encoding.

JWT Encoder

Create signed HS256 JWT tokens with custom payloads and TTL.

Base64 Decoder

Decode standard or URL-safe Base64 strings back to plain text.

UUID Generator

Generate cryptographically secure UUID v4 identifiers.

Decode a JWT now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →