JWT Decoder

JWT (JSON Web Token) is a compact, URL-safe token standard (RFC 7519) used to securely transmit information as a JSON object. The information is verifiable because it is digitally signed — either using a secret (HMAC) or a public/private key pair (RSA or ECDSA). JWTs are used for authentication, authorization, and information exchange.

Standard JWT claims include: sub (subject — user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), nbf (not before), jti (JWT ID). Applications also add custom claims like roles, permissions, email, and name. All payload claims are visible in the decoded output.

No — and intentionally so. Signature verification requires your secret key or RSA/EC public key, which should never be entered into any online tool. This decoder shows the decoded content only. Verify signatures server-side using your language's JWT library.

Decoding happens 100% in your browser using JavaScript — no network requests are made. Your token is never sent to any server. That said, avoid pasting real production tokens into any online tool as a security best practice. Use test tokens for debugging.

The exp (expiration) claim contains a Unix timestamp. If the current time is past that timestamp, the token is expired and will be rejected by servers. Our decoder highlights expired tokens with a warning badge. You'll need to obtain a fresh token from your authentication provider.