JWT Decoder Online — Inspect JSON Web Tokens Instantly
Decode and inspect JSON Web Tokens (JWT) instantly. View the header, payload, and signature. 100% client-side — your token never leaves your browser.
About JSON Web Tokens (JWT)
JWT is a compact, URL-safe method for representing claims securely between two parties. A JWT consists of three parts separated by dots (.):
- Header: Contains the token type (JWT) and the signing algorithm (HS256, RS256, etc.).
- Payload: Contains the claims — statements about the user and additional data. Common claims include
sub(subject),exp(expiry),iat(issued at). - Signature: Used to verify the token hasn't been tampered with. Requires the secret key to verify.
⚠️ Never paste sensitive production JWTs into online tools. This decoder is client-side only, but exercise caution with real tokens.
Frequently Asked Questions
All decoding is done in your browser. Your token is never sent to any server. That said, avoid pasting real production tokens into any online tool as a general security best practice.
No. Signature verification requires the secret key, which should never be shared. This tool decodes the header and payload but cannot verify the signature.
"exp" is the expiration time claim — a Unix timestamp indicating when the token expires. This decoder automatically checks and displays whether your token is still valid or has expired.
JWTs are stateless — all user information is encoded in the token itself. Session cookies store a session ID and require a server-side lookup for each request.