Skip to main content
Utulio
Developer Tools

JWT Decoder

Paste a JWT to instantly decode the header, payload, and claims. Expiration dates are shown in human-readable format with an expired/valid indicator. Runs entirely in your browser.

Security notice: This tool only decodes — it does not verify signatures. Never paste production secrets or tokens containing sensitive personal data.
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
Standard Claims
iatIssued at: 1/18/2018, 1:30:22 AM
Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signature is shown for reference only. Verification requires the secret key or public key — not available in this tool.

Understanding JWT Structure

A JWT has three parts separated by dots: header.payload.signature. The header and payload are Base64url-encoded JSON — they are readable by anyone with the token. Only the signature is opaque without the secret key.

This means JWTs are not encrypted — they are only signed. Never put sensitive data (passwords, credit card numbers, SSNs) in a JWT payload. The signature proves the token hasn't been tampered with, but the data inside is readable.

Common debugging scenarios: checking if a token is expired (exp claim), seeing what scopes/roles are included, verifying the issuer (iss) and audience (aud), or inspecting custom claims your auth server added.

JWT Decoder FAQs

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are commonly used for API authentication and stateless sessions.
Is it safe to decode a JWT in this tool?
This tool only decodes — it reads the Base64url-encoded header and payload, which are not encrypted. The contents of a JWT are already readable by anyone who has the token. However, never paste tokens that grant access to sensitive systems, contain personal data, or are from production environments into any third-party tool.
What is the exp claim?
The "exp" (expiration time) claim is a Unix timestamp (seconds since January 1, 1970 UTC) indicating when the token expires. This tool automatically converts exp to a human-readable date and shows whether the token has expired. A server should reject tokens where the current time is past the exp timestamp.
What is the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a shared secret key for both signing and verification — the same key creates and validates the token. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — the secret never needs to be shared. RS256 is preferred for distributed systems where multiple services need to verify tokens without needing the signing secret.
Why can't this tool verify the signature?
JWT signature verification requires the secret key (HS256) or the public key (RS256) that was used to sign the token. These keys are server-side secrets that should never be exposed in a client-side tool. This decoder shows the signature for inspection only. Always verify JWT signatures on your server.
What are standard JWT claims?
Standard claims defined in RFC 7519: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (JWT ID). Applications often add custom claims for user roles, permissions, and other data. This tool highlights the standard time-based claims (exp, iat, nbf) with human-readable timestamps.

Related Tools

developer

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Private — runs entirely in your browser.

Open tool →
developer

Regex Tester

Test regular expressions in real-time with live match highlighting and capture group display.

Open tool →
developer

Base64 Encoder / Decoder

Encode text to Base64 or decode Base64 to text. UTF-8 safe, private, instant.

Open tool →