JWT Decoder
Decode and inspect JSON Web Tokens
Your token is decoded locally in your browser. It is never sent to any server.
Frequently Asked Questions
What is a JWT?
JWT is a compact token format for authentication containing a header, payload (claims), and signature.
Is it safe to paste my JWT?
Yes. Decoding happens in your browser. No data is sent to any server.
What is JWT expiration?
The "exp" claim specifies when the token expires (Unix timestamp). After that, it should be rejected.
Can a JWT token be tampered with without detection?
No, if the server verifies the signature. JWTs are signed with a secret or private key. Any modification to the payload invalidates the signature. Always verify signatures server-side before trusting JWT claims.
What happens when a JWT token expires?
The server rejects expired tokens and returns a 401 Unauthorized response. The client should request a new token using a refresh token or prompt the user to log in again.
What is JWT?
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization.
A JWT consists of three parts separated by dots: Header.Payload.Signature
Common Claims
iss (Issuer) - Who issued the token
sub (Subject) - Who the token is about
aud (Audience) - Who the token is intended for
exp (Expiration) - When the token expires
iat (Issued At) - When the token was issued
nbf (Not Before) - When the token becomes valid