Can this tool verify JWT signatures?

No. Signature verification requires the signing secret (for HMAC algorithms) or the public key (for RSA/ECDSA). This tool runs in your browser and does not have access to server-side keys. It decodes the token structure only.

Is it safe to paste my JWT here?

Yes. This tool processes the token entirely in your browser. No data is sent to any server. However, avoid sharing JWTs in public spaces (Slack messages, GitHub issues) since anyone can read the payload without the signing key.

Why does my token show as expired?

The tool compares the exp claim (a Unix timestamp in seconds) against your device's current time. If the expiration date is in the past, the token is marked as expired. Check that your device's clock is accurate. Short-lived tokens (15-60 minutes) are common in OAuth 2.0 flows and expire quickly by design.

JWT Decoder

Decode JSON Web Tokens and inspect header, payload, and expiration. No server-side processing.

JWT Token

What Is a JSON Web Token?

A JWT is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims about the user or session), and a signature (cryptographic proof of integrity). Since each part uses Base64 encoding, you can decode the raw segments independently.

Reading the Decoded Output

The header typically contains alg (signing algorithm, like HS256 or RS256) and typ (usually "JWT"). The payload carries claims: sub (subject), iat (issued at), exp (expiration), and any custom data the issuer included. All timestamps are Unix epoch seconds. The decoded payload is a JSON object; use the JSON Formatter to pretty-print complex payloads.

Security Notes

This tool decodes the token — it does not verify the signature. Anyone can read a JWT's payload without the signing key. Never store sensitive data (passwords, credit card numbers) inside a JWT payload. Signature verification requires the server's secret key (for HMAC) or public key (for RSA/ECDSA), which this client-side tool does not have access to.

Common JWT Claims

iss identifies who issued the token. aud specifies the intended audience. exp sets when the token expires. nbf (not before) prevents early use. jti provides a unique identifier to prevent replay attacks. These registered claims are optional but widely used in OAuth 2.0 and OpenID Connect flows.

Frequently Asked Questions

Can this tool verify JWT signatures?: No. Signature verification requires the signing secret (for HMAC algorithms) or the public key (for RSA/ECDSA). This tool runs in your browser and does not have access to server-side keys. It decodes the token structure only.
Is it safe to paste my JWT here?: Yes. This tool processes the token entirely in your browser. No data is sent to any server. However, avoid sharing JWTs in public spaces (Slack messages, GitHub issues) since anyone can read the payload without the signing key.
Why does my token show as expired?: The tool compares the exp claim (a Unix timestamp in seconds) against your device's current time. If the expiration date is in the past, the token is marked as expired. Check that your device's clock is accurate. Short-lived tokens (15-60 minutes) are common in OAuth 2.0 flows and expire quickly by design.