JWT Decoder
Decode and inspect JSON Web Tokens โ header, payload and signature. Checks exp/nbf claims and highlights common issues.
Last updated: April 2026 ยท Runs in your browser ยท No sign-up
JWT structure
A JWT is three Base64URL-encoded segments joined by dots: header.payload.signature. The header declares the algorithm (alg) and token type (typ). The payload holds the claims. The signature proves the token wasn't tampered with โ if you have the key.
Common pitfalls
- alg: none is a classic attack โ always enforce an expected algorithm server-side.
- Long-lived JWTs are hard to revoke. Keep exp short and use refresh tokens.
- Don't store secrets or PII in the payload; it's not encrypted.
Frequently Asked Questions
Does it verify the signature?
Signature verification requires the secret (HS*) or public key (RS*/ES*). Paste one to verify; otherwise the tool only decodes the claims. Verification happens in your browser via Web Crypto.
Is pasting a JWT here safe?
Decoding happens entirely client-side โ no network request. Still, treat any JWT as sensitive; a leaked production token grants whoever holds it whatever the claims permit.
What claims should I look at?
exp (expiry), nbf (not before), iat (issued at), iss (issuer), aud (audience), sub (subject). The tool flags expired tokens and future-dated tokens automatically.
Why is the payload not encrypted?
JWT is signed, not encrypted โ anyone can read the claims. For confidentiality, use JWE (JSON Web Encryption) or avoid putting sensitive data in the token.