JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: Header (algorithm and token type), Payload (claims/data), and Signature (verification). JWTs are commonly used for authentication and authorization in web applications and APIs.

How do I decode a JWT token online?

To decode a JWT token: 1) Copy your JWT token (it looks like xxx.yyy.zzz with three parts), 2) Paste it into the input field, 3) The tool will automatically decode and display the Header, Payload, and Signature sections. You'll also see the algorithm used, expiration time, and all claims.

Is it safe to decode JWT tokens online?

Yes, this tool is safe because all decoding happens in your browser (client-side processing). Your JWT tokens are never sent to any server. However, JWTs often contain sensitive information, so only use tokens from development/testing environments, not production tokens with real user data.

JWT claims are key-value pairs in the payload that carry information. Standard claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Custom claims are additional fields you define for your application, like user_id, email, or role.

How do I check if a JWT token is expired?

Our tool automatically checks the "exp" (expiration) claim in your JWT and displays the expiration status with a colored badge. You'll see "Valid" (green) if not expired, "Expired" (red) with how long ago it expired, or "Future Token" (yellow) if the expiration is in the future.

JWT Debugger

Decode and verify JSON Web Tokens (JWT) with real-time feedback

JWT Token

Paste your JWT token here...

Tips

• Paste a JWT token to decode and inspect its contents

• The token is split into Header (algorithm), Payload (claims), and Signature

• Check expiration time (exp) to verify if token is still valid

• This tool can verify signatures with your secret key or public key

• Use HS256/384/512 with a secret key, or RS256/384/512/ES256/384/512 with a public key

• For RS256/ES256, paste your public key in PEM format (-----BEGIN PUBLIC KEY-----)