JWT Decoder
Decode any JWT to inspect its header, payload, and check expiry. Nothing is sent to a server.
JSON Web Tokens (JWTs) are the standard for stateless authentication in modern web applications. A JWT consists of three Base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims — user ID, roles, expiry), and the signature (cryptographic proof the token was not tampered with). This tool decodes the header and payload so you can inspect what is inside. It does not verify the signature — that requires the secret key.
Never paste a production JWT containing sensitive data into any online tool you do not control. This tool runs entirely in your browser — no data is sent anywhere — but verify that for any tool you use with real tokens.
Frequently asked questions
What is the exp claim?
exp is the expiration time claim. It is a Unix timestamp indicating when the token expires. This tool checks the exp claim and tells you whether the token is expired or when it expires.
Can I use a decoded JWT without verifying the signature?
You can read the payload without verifying the signature, but you should never trust the payload of an unverified JWT for authentication decisions. An attacker can construct a JWT with any payload they want. Server-side signature verification is what makes JWTs trustworthy.