JWT Decoder
Paste any JSON Web Token to decode the header, payload claims, and signature segment. Detects algorithm, expiry status, and formats Unix timestamps as readable dates. No data is sent to any server — everything runs in your browser.
About this tool
JWTs consist of three Base64URL-encoded parts: header (algorithm + token type), payload (claims), and signature. This tool decodes the first two parts locally — your token never leaves your browser. Note: this tool does not verify the signature — only the issuer's server can do that.
Features
Header decode
Shows token type and signing algorithm (HS256, RS256, etc.)
Payload claims
All claims decoded and displayed — sub, iss, exp, iat, aud, and custom
Expiry status
Instantly shows if the token is valid, expired, or not yet active
Date formatting
Unix timestamps in exp and iat are shown as readable dates
Zero uploads
Decoding happens in your browser — your token never leaves your device
Algorithm badge
Highlighted algorithm badge makes it easy to spot the signing method
JWT structure
A JWT has three Base64URL-encoded parts separated by . — paste one into the decoder above to inspect each part.
Frequently asked questions
What are standard JWT claims?
Standard registered claims include: iss (issuer), sub (subject/user identifier), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications can add any additional custom claims in the payload.
Why does my JWT have three parts separated by dots?
Each part is Base64URL encoded. The first dot separates the header from the payload, and the second dot separates the payload from the signature. The format is: Base64URL(header).Base64URL(payload).Base64URL(signature).
What is the difference between HS256 and RS256?
HS256 (HMAC with SHA-256) uses a shared symmetric secret — both the issuer and verifier use the same key. RS256 (RSA with SHA-256) uses an asymmetric key pair — tokens are signed with a private key and verified with the corresponding public key, which can be shared safely.
Can JWTs be used for sessions?
Yes, but with trade-offs. JWTs are stateless — the server does not need to store session data. However, they cannot be invalidated before expiry without server-side state (e.g., a token blocklist), so short expiry times and refresh token rotation are common patterns.