Does decoding a JWT verify the signature?

No. Decoding only reads the header and payload — it does not verify the signature. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) used to sign the token, which this browser tool does not have. Never trust the claims in a decoded payload without server-side signature verification using the appropriate key.

Is it safe to paste my JWT here?

All decoding runs entirely in your browser — your JWT is never sent to a server or logged. However, JWTs can contain sensitive user claims (IDs, emails, roles). Avoid pasting production access tokens into any browser tool. Use test tokens or tokens already expired. For debugging, redact or mask the signature section before pasting.

What does "exp" mean in a JWT?

`exp` (expiry) is a standard JWT claim defined as a Unix timestamp — the number of seconds since 1970-01-01 00:00:00 UTC — after which the token must be rejected. This tool converts `exp` to a human-readable date and time and shows whether the token is currently valid, expired, or about to expire. The `iat` claim marks when the token was issued.

What JWT algorithms does this tool support?

The decoder displays the algorithm declared in the token header — HS256, HS384, HS512 (HMAC-SHA family), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256 (RSASSA-PSS). It does not verify signatures for any algorithm since verification requires the signing key. The algorithm display helps identify which signing method your authentication server is configured to use.

developer

Free JWT Decoder — Inspect JSON Web Token Claims Instantly

A JSON Web Token (JWT) is a three-part Base64-encoded string separated by dots: header, payload, and signature. This tool decodes all three parts and displays them as readable JSON — showing the algorithm, token claims (sub, iss, exp, iat), and expiry status. Your token is never sent to any server.

Free — No SignupRuns in BrowserData Never UploadedPopular tool

How It Works

How to use JWT Decoder

Paste your JWT

Paste the full JWT token (including all three dot-separated parts) into the input field.

Inspect decoded output

The header and payload are decoded and formatted as JSON. Expiry time is shown in human-readable format.

Check validity and claims

See if the token is expired, what algorithm was used, and all claims present in the payload.

FAQ

Frequently asked questions

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519, consisting of three dot-separated Base64-encoded parts: header (algorithm and token type), payload (claims such as user ID, expiry, and issuer), and signature. JWTs are the dominant format for stateless authentication in REST APIs and single-page applications — readable without a database lookup.

Related Tools

You might also need

Base64 Encoder / Decoder

Encode and decode Base64 strings instantly in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly in your browser.

Strong Password Generator

Generate cryptographically secure passwords instantly.

References

Need this built into your product?

We design and build custom software — SaaS platforms, MVPs, AI agents, and web apps.

Custom SaaS Development

End-to-end SaaS products — API, auth, billing, dashboard, deployment.

MVP Development

Working product in 6–8 weeks. Fixed price, committed timeline.

AI Agent Development

Custom AI agents and workflow automation built for your stack.

Have a project in mind?

We turn ideas into production-ready software — SaaS, web apps, mobile, and AI agents. Fixed price. Committed timeline. No surprises.

Let's talk

Free JWT Decoder — Inspect JSON Web Token Claims Instantly

How to use JWT Decoder

Frequently asked questions

You might also need

Further reading

Need this built into your product?