JWT Decoder Online — Decode JSON Web Tokens Free

🔑 Paste JWT Token

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are widely used for authentication and authorization in web applications, APIs, and microservices.

A JWT consists of three Base64URL-encoded parts separated by dots: a Header, a Payload (containing claims), and a Signature. Our decoder splits and decodes all three parts so you can inspect the contents instantly.

JWT Structure Explained

Header

Contains the token type (typ: "JWT") and the signing algorithm used (e.g., HS256, RS256, ES256).

Payload (Claims)

Contains the actual data — user ID, roles, expiry time (exp), issued-at time (iat), issuer (iss), and any custom claims your application adds.

Signature

A cryptographic signature created using the header, payload, and a secret key. It verifies the token hasn't been tampered with. We can't verify the signature without the secret — but we can decode and read the claims.

Is it safe to paste my JWT here? ▼

Everything runs in your browser — your token is never sent to our servers. That said, JWTs often contain sensitive user data. Be careful pasting tokens from production systems on any third-party site. Use our tool for development and debugging only.

Can you verify the JWT signature? ▼

No. Verifying the signature requires the secret key or public key that was used to sign the token. We only decode the token — we cannot verify its authenticity. For signature verification, use your backend language's JWT library with the appropriate secret.

What does "exp" mean in the payload? ▼

exp is the expiration time claim — a Unix timestamp representing when the token expires. Our decoder automatically converts it to a human-readable date and tells you whether the token is still valid or has expired.