usefmtly

JWT Decoder

JWT Decoder — Free JWT decoder. Paste any JSON Web Token and instantly see the decoded header, payload, and expiry time. Shows all claims in a readable format. No signature verification — 100% client-side. No signup required.

Paste a JWT token below

What is a JWT and how does it work?

A JSON Web Token (JWT) is a compact string used to transmit information securely between a client and server. It looks like three base64url-encoded strings joined by dots — and that's exactly what it is.

  • Header — the algorithm used to sign the token (e.g. HS256, RS256) and the token type (JWT)
  • Payload — the claims: user ID, roles, expiry, issued-at, and any custom data the server wants to include
  • Signature — a cryptographic hash of the header and payload, signed with a secret key. Verifying it proves the token hasn't been tampered with

Common JWT claims

  • sub — subject (usually a user ID)
  • iat — issued at (Unix timestamp of when the token was created)
  • exp — expiry (Unix timestamp after which the token is invalid)
  • iss — issuer (who created the token — your auth server's domain)
  • aud — audience (intended recipient of the token)
  • name, email, role — custom claims added by the application

Decoding vs verifying

Decoding a JWT just reads the base64url-encoded data — anyone can do it, no secret needed. The payload is not encrypted, only encoded. This is intentional: JWTs are designed to be readable, just not forgeable. Verification (checking the signature) proves the token came from your server and wasn't tampered with — that requires the secret key or public certificate. Use this tool to inspect token contents during development; never verify tokens client-side in production.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe string used to transmit claims between parties. It has three base64url-encoded segments separated by dots: header (algorithm and token type), payload (claims like user ID and expiry), and signature (for verification). JWTs are commonly used in authentication and API authorization.

Is it safe to paste my JWT here?

This tool is 100% client-side — your token is decoded entirely in your browser using JavaScript. Nothing is sent to any server. That said, treat real production JWTs like passwords: avoid pasting them into any online tool you do not fully trust. For testing, use tokens from development environments only.

Does this verify the JWT signature?

No. Signature verification requires the secret key or public certificate used to sign the token, which this tool does not have. This tool only decodes the header and payload sections, which are just base64url-encoded JSON — not encrypted.

What claims does JWT typically contain?

Common JWT claims include: sub (subject/user ID), iat (issued at), exp (expiry), iss (issuer), aud (audience), name, email, and role. Custom claims vary by application.

Why does my JWT say "expired"?

The exp claim in the payload is a Unix timestamp (seconds since Jan 1, 1970). If that timestamp is in the past, the token is expired. This is expected — servers reject expired tokens. Generate a new token by logging in again or refreshing your session.

Related Tools

Base64 Encode / DecodeFree online Base64 encoder and decoder. Encode any text or Unicode string to Base64, or decode Base64 back to readable text. Supports standard and URL-safe variants.JSON FormatterFree JSON formatter and validator. Paste any JSON to format it with 2-space, 4-space, or tab indentation. Validates JSON syntax and shows errors inline. Sort keys alphabetically. 100% client-side.URL Encode / DecodeFree online URL encoder and decoder. Percent-encode special characters for use in URLs and query strings, or decode percent-encoded URLs back to readable text. Supports component and full URI encoding.HTML to Markdown ConverterFree HTML to Markdown converter. Paste any HTML and instantly get clean Markdown output. Converts headings, bold, italic, links, lists, tables, code blocks, and blockquotes. No signup required.