JWT Decoder
Paste a JWT token to decode its header, payload, and check expiration. 100% client-side — your token never leaves your browser.
Frequently Asked Questions
What is a JWT?
JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and authorization. It has three parts separated by dots: header (algorithm), payload (claims/data), and signature (verification). JWTs are used by OAuth, OpenID Connect, and most modern APIs.
Is it safe to decode JWTs in the browser?
Decoding is safe — JWT payloads are only Base64-encoded, not encrypted. Anyone with the token can read the payload. The signature prevents tampering but does not hide data. Never put sensitive data (passwords, credit cards) in JWT payloads. This tool runs 100% client-side; your token never leaves your browser.
What does the expiration (exp) claim mean?
The exp claim is a Unix timestamp indicating when the token expires. After this time, the token should be rejected by the server. Common expiration times are 15 minutes (access tokens) to 7 days (refresh tokens). If exp is in the past, the token is expired.
Can I verify the signature here?
This tool decodes and inspects JWTs but does not verify signatures, as that requires the secret key or public key which should never be shared publicly. For signature verification, use your server-side code with the appropriate key.
What are common JWT claims?
Standard claims: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (JWT ID). Custom claims can contain any data like roles, permissions, or user info.
ToolVS is reader-supported. When you buy through links on our site, we may earn a commission.