JWT is a compact token format for authentication containing a header, payload (claims), and signature.

Is it safe to paste my JWT?

Yes. Decoding happens in your browser. No data is sent to any server.

What is JWT expiration?

The "exp" claim specifies when the token expires (Unix timestamp). After that, it should be rejected.

Can a JWT token be tampered with without detection?

No, if the server verifies the signature. JWTs are signed with a secret or private key. Any modification to the payload invalidates the signature. Always verify signatures server-side before trusting JWT claims.

What happens when a JWT token expires?

The server rejects expired tokens and returns a 401 Unauthorized response. The client should request a new token using a refresh token or prompt the user to log in again.

JWT Decoder

Decode and inspect JSON Web Tokens

Your token is decoded locally in your browser. It is never sent to any server.

Paste your JWT token

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization.

A JWT consists of three parts separated by dots: Header.Payload.Signature

Common Claims

iss (Issuer) - Who issued the token

sub (Subject) - Who the token is about

aud (Audience) - Who the token is intended for

exp (Expiration) - When the token expires

iat (Issued At) - When the token was issued

nbf (Not Before) - When the token becomes valid

JWT Decoder

What is JWT?

Common Claims

Related Tools