JWT Decoder

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information as a compact, URL-safe JSON object. It consists of three Base64URL-encoded parts separated by dots: a Header, a Payload, and a Signature.

Yes. This tool runs entirely in your browser. Your token is never sent to any server. The page works offline once loaded.

The Header contains metadata about the token, such as the signing algorithm (alg) and token type (typ). The Payload contains the claims — statements about the subject and additional data. The Signature is used to verify the token has not been tampered with.

Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA). This tool only decodes the public parts of the token. Never share your secret key with any online tool.

The exp (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted. It is a Unix timestamp in seconds. This tool shows a colour-coded badge: green for valid, orange for expiring within 24 hours, and red for already expired.

HS256 uses a symmetric HMAC-SHA256 algorithm where the same secret is used to both sign and verify the token. RS256 uses an asymmetric RSA algorithm where a private key signs the token and a corresponding public key verifies it. RS256 is preferred for distributed systems.