JWT Decoder

Paste a JSON Web Token to inspect its header, payload, and signature. Decoding is done entirely in your browser.

JWT Token

About this tool

Decode and inspect JWT (JSON Web Token) headers, payloads, and signatures instantly in your browser. Paste any JWT token to see its claims - including expiry (exp), issued-at (iat), issuer (iss), and subject (sub) - displayed in a formatted, human-readable layout. The tool also shows whether the token is expired based on the current time.

How to Decode a JWT Token

1Paste your JWT into the input field - it starts with 'eyJ'.
2The header, payload, and signature sections are decoded and displayed instantly.
3Check the 'Expires' field to see if the token is still valid.
4Review claims like iss (issuer), sub (subject), and aud (audience).
5Use the payload values to debug authentication or authorisation issues.

Frequently Asked Questions

What is a JWT?+

A JWT (JSON Web Token) is a compact, URL-safe token consisting of three Base64URL-encoded parts: a header (algorithm), a payload (claims), and a signature. It's widely used for authentication and API authorisation.

Is it safe to paste my JWT here?+

The decoding runs entirely in your browser - nothing is sent to a server. However, do not share JWTs from production systems as they often contain sensitive claims. Treat JWTs like passwords.

Can this tool verify the JWT signature?+

No. Signature verification requires the secret key or public key, which should never be shared with a browser-based tool. This tool only decodes and displays the payload.

What does 'token expired' mean?+

The exp claim in the payload is a Unix timestamp. If the current time is past that timestamp, the token is expired and should be rejected by your server.

What is the difference between a JWT and a session token?+

A session token is an opaque random string - the server stores session data in a database and looks it up on each request. A JWT is self-contained - the server encodes claims into the token itself and verifies it using a signature, requiring no database lookup. JWTs are stateless; session tokens are stateful.

How does JWT expiry work and how do I handle it?+

The exp claim contains a Unix timestamp after which the token is invalid. The server checks this on every request. When a JWT expires, the client must request a new one - typically via a refresh token (a long-lived token stored securely and exchanged for new short-lived JWTs).

Can I verify a JWT signature in this tool?+

No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms). Sharing these with a browser-based tool would compromise your security. This tool decodes and inspects the payload only, without verification.

What are the main security risks with JWTs?+

Key risks include: using the 'none' algorithm (allows unsigned tokens), weak secrets vulnerable to brute force, storing JWTs in localStorage (accessible to XSS), not validating the iss and aud claims, and excessively long expiry times. Use short expiry, strong keys, and store JWTs in httpOnly cookies.

What is the difference between the JWT header, payload, and signature?+

The header contains the token type and signing algorithm (e.g. HS256). The payload contains the claims - the data like user ID, roles, and expiry time. The signature is a cryptographic hash of the header and payload using your secret key. All three parts are Base64url encoded and joined with dots.

Looking for a deeper guide on this topic? Browse the Searchlight blog.

Visit the blog →

Related tools

View all Encoders & Decoders →