ToolNest
All processing happens locally in your browser · No data uploaded

JWT Decoder

Paste any JWT (JSON Web Token) to instantly decode and inspect the header and payload. View expiry, issued-at, claims, and algorithm. Optionally verify signature with your secret key.

Valid JWTToken Valid (not expired)HS256

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 9999999999
}
Issued: 1/18/2018, 1:30:22 AMExpires: 11/20/2286, 5:46:39 PM

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Structure

JWT = Base64Url(header) + "." + Base64Url(payload) + "." + signature

Header: algorithm + token type
Payload: claims (sub, iat, exp, iss, aud, custom)
Signature: HMAC-SHA256(header + "." + payload, secret)

Examples

Decode access token

Result: Header: {alg: HS256, typ: JWT} Payload: {sub: "1234567890", name: "John", iat: 1616239022}

JWT parts decoded to readable JSON with expiry status.

Frequently Asked Questions

Is it safe to paste my JWT here?

JWTs often contain sensitive claims. While our tool processes everything client-side, avoid pasting JWTs with sensitive PII in shared/public environments.

Can you verify the JWT signature?

Yes. Enter your HMAC secret or RSA public key to verify the signature. Without the secret, you can still decode (not verify) the payload.

What does "expired" mean for a JWT?

The exp claim in the payload contains the expiry timestamp (Unix time). If current time > exp, the token is expired and should be rejected.

Related Tools

Hash GeneratorJSON Formatter & ValidatorUUID Generator

More Developer Tools

JSON Formatter & ValidatorJSON to CSV ConverterCSV to JSON ConverterJSON to XML ConverterXML to JSON ConverterHTML Formatter & BeautifierAll Developer Tools tools