🔑 DEVELOPER
JWT Decoder
Paste any JWT — see decoded header, payload, expiry, and signature.
Paste JWT Token
Paste any JWT token above to decode it.
Paste any JWT — see decoded header, payload, expiry, and signature.
Paste any JWT token above to decode it.
These are the registered claim names defined in the JWT specification (RFC 7519).
| Claim | Section | Meaning |
|---|---|---|
| alg | Header | Algorithm used to sign the token (e.g. HS256, RS256, ES256) |
| typ | Header | Token type — always "JWT" for JSON Web Tokens |
| sub | Payload | Subject — identifies the principal (usually a user ID) |
| iss | Payload | Issuer — identifies the party that issued the token |
| aud | Payload | Audience — the recipient(s) the token is intended for |
| exp | Payload | Expiration time — Unix timestamp after which the token is invalid |
| iat | Payload | Issued At — Unix timestamp of when the token was created |
| nbf | Payload | Not Before — Unix timestamp before which the token must not be accepted |
| jti | Payload | JWT ID — unique identifier to prevent token replay |
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It encodes claims (statements about an entity) as a JSON object that is signed — ensuring it hasn't been tampered with. JWTs are widely used for authentication and information exchange in web applications and APIs.
What are the three parts of a JWT?
A JWT has three Base64URL-encoded parts separated by dots: 1) Header — contains the token type and signing algorithm. 2) Payload — contains the claims (user data, expiry, etc.). 3) Signature — the HMAC or RSA signature that verifies the token's integrity.
Can you verify a JWT with this tool?
No. Verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA). This tool only decodes the Base64URL-encoded parts to make them readable. Never share your signing secret with any online tool.
Is it safe to paste my JWT here?
This tool runs entirely in your browser — no data is sent to any server, logged, or stored. That said, JWTs can contain sensitive user information. Use test/development tokens for online tools and keep production tokens in secure environments.
What does 'exp' mean in a JWT payload?
exp is the expiration claim — a Unix timestamp (seconds since January 1, 1970 UTC) after which the token should be considered invalid. This tool converts the raw timestamp to a human-readable date and marks the token as expired if the current time is past the expiry.
What is the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification — suitable for internal services where you control both sides. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — better for distributed systems where the verifier shouldn't have the signing key.
More developer tools
Base64 encoder, regex tester, JSON formatter, password generator and more.
Browse all tools