Web Tools
JWT Decoder
Decode JSON Web Tokens into their header, payload, and signature components. Automatically checks token expiration and displays timestamps in human-readable format.
jwt json-web-token decoder auth developer-tools
Published March 21, 2026
All interactive tools run entirely in your browser. Your data never leaves your device.
How It Works
Paste a JWT token to instantly decode it into its three components: header, payload, and signature. The tool automatically detects expiration status and formats timestamps for readability.
Features
- Header Decoding: View the algorithm and token type
- Payload Decoding: View all claims with formatted JSON
- Expiration Check: Automatic detection of expired tokens with relative time display
- Timestamp Formatting:
iatandexpclaims shown as human-readable UTC dates - Per-Section Copy: Copy header or payload JSON independently
What is a JWT?
A JSON Web Token (JWT) consists of three Base64URL-encoded parts separated by dots:
header.payload.signature- Header: Contains the signing algorithm (
alg) and token type (typ) - Payload: Contains claims — statements about the user and metadata
- Signature: Cryptographic signature that verifies the token’s integrity
Common Claims
| Claim | Name | Description |
|---|---|---|
sub | Subject | Identifier for the token subject (usually user ID) |
iat | Issued At | Unix timestamp when the token was created |
exp | Expiration | Unix timestamp when the token expires |
nbf | Not Before | Unix timestamp before which the token is invalid |
iss | Issuer | Who created the token |
aud | Audience | Who the token is intended for |
jti | JWT ID | Unique identifier for the token |
Security Note
This tool only decodes JWTs — it does not verify signatures. JWT payloads are Base64-encoded, not encrypted. Never put sensitive data in a JWT payload without additional encryption. Signature verification requires the secret key or public key, which is a server-side operation.