JWT Decoder
Decode a JWT to see its header and payload. Spots an expired exp claim. Signature is NOT verified.
Quick answer: Decode a JWT to see its header and payload. Spots an expired exp claim. Signature is NOT verified.
Last updated
Frequently asked questions
- How do I decode a JWT?
- Paste the token and the header and payload appear immediately. The `iat`, `nbf` and `exp` claims are shown as human-readable timestamps.
- Does this verify the signature?
- No — and you should never trust a decoded JWT on its own. Always verify the signature server-side with the secret or public key before trusting any claim.
- How do I tell if a token is expired?
- If the payload has an `exp` claim, we compare it to the current time and show 'Expired' or 'Not expired' next to the payload.
- What if the token is malformed?
- We show a friendly error: a JWT must have three dot-separated parts (header.payload.signature) and the first two must be valid base64url-encoded JSON.
- Are URL-safe characters supported?
- Yes — base64url decoding (`-` for `+`, `_` for `/`, no padding) is the JWT standard and we follow it.
- Is the token sent anywhere?
- No. Decoding runs entirely in your browser, so even production tokens are safe to paste.
- What's inside a JWT header?
- Usually `alg` (signing algorithm) and `typ` (always 'JWT'). Some tokens add `kid` to identify which key signed them.
- What are common payload claims?
- `sub` (subject), `iss` (issuer), `aud` (audience), `iat` (issued at), `exp` (expires), `nbf` (not before). Apps add custom claims too.
- Why is base64url different from base64?
- JWTs travel in URLs and headers, so they swap `+`/`/` for `-`/`_` and drop `=` padding to stay URL-safe.
- Is this JWT decoder free?
- Yes — free, no signup, no limits.