🪙 JWT Decoder
JWT Decoder
Paste any JSON Web Token to instantly decode the header, payload, and signature. Everything runs in your browser — your tokens never leave your machine.
Paste any JSON Web Token to instantly decode the header, payload, and signature. Everything runs in your browser — your tokens never leave your machine.
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64-encoded parts separated by dots: a header (algorithm and type), a payload (claims like user ID and expiry), and a signature for verification.
Yes — decoding a JWT only reads its contents, which are not secret. The header and payload are just Base64-encoded JSON, readable by anyone who has the token. Only the signature verification requires the secret key, and our tool deliberately does not attempt this.
JWTs contain an exp (expiry) claim — a Unix timestamp after which the token should no longer be accepted. Our decoder automatically calculates whether the token has expired based on the current time and shows you a countdown of how much time remains.
HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification — simpler but requires all parties to share the secret. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — more secure for distributed systems because the verification key can be public.