Everytool

JWT Decoder — Decode & Inspect JSON Web Tokens Online

Decode and inspect JWT tokens instantly in your browser. View header, payload claims, expiry status, and token structure. Free online JWT decoder with live expiry countdown.

All JWT decoding happens entirely in your browser using native JavaScript. No JWT token you paste is ever sent to any server. Your tokens remain completely private.
0 characters

Secret key for this sample: mysecretkey

How to Decode a JWT Token

  • Copy your JWT token from your application, browser developer tools, or API response
  • Paste it into the input field at the top of the tool
  • The decoded header, payload, and all claims appear instantly
  • Check the Token Status banner to see if the token is valid, expired, or not yet active
  • Use the Claims Breakdown table to read each claim with its human-readable description and formatted value

Understanding the Three Parts of a JWT

JSON Web Tokens consist of three parts represented as Base64url-encoded strings separated by dots.

Header

The first part of a JWT contains metadata about the token — specifically the signing algorithm (alg) like HS256 or RS256, and the token type (typ) which is always JWT. It is Base64url encoded JSON.

Payload

The second part contains the claims — statements about the subject (usually a user) and additional metadata. Standard claims like sub, exp, iat have well-known meanings. Custom claims can be added for application-specific data. It is Base64url encoded JSON. It is NOT encrypted — anyone can decode it.

Signature

The third part is the cryptographic signature computed by signing the encoded header and payload with a secret key using the algorithm in the header. It is used to verify the token was not tampered with. The secret key is never included in the token itself.

Standard JWT Claims Explained

  • sub: Subject. The principal the token is about — usually a user ID.
  • iss: Issuer. The entity that issued the token — e.g. your auth server URL.
  • aud: Audience. The intended recipients of the token.
  • exp: Expiration Time. Unix timestamp after which the token must not be accepted.
  • iat: Issued At. Unix timestamp of when the token was issued.
  • nbf: Not Before. Unix timestamp before which the token must not be accepted.
  • jti: JWT ID. Unique identifier for this token — used to prevent replay attacks.

JWT Security Best Practices

  • Always verify the JWT signature on the server before trusting any claims
  • Set a reasonable expiration time — short-lived tokens reduce the impact of token theft
  • Never store sensitive data like passwords or private keys in the JWT payload
  • Use HTTPS for all token transmission — never send tokens over unencrypted connections
  • Store tokens securely — use httpOnly cookies rather than localStorage to prevent XSS attacks
  • Implement token refresh mechanisms for long-lived sessions
  • Validate the iss and aud claims to prevent token substitution attacks

When to Use JWTs

JWTs are ideal for stateless authentication where the server does not need to store session information. Because all user data is encoded in the token itself the server can verify identity without a database lookup. They are widely used in REST APIs, microservices, single-page applications, and mobile app backends. However JWTs should not be used to store sensitive data in the payload since the payload is only encoded not encrypted.

Frequently Asked Questions

What is a JWT token?

A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It consists of three Base64url-encoded parts separated by dots: a header containing the algorithm, a payload containing claims, and a signature for verification.

How do I decode a JWT token?

Paste your JWT token into the input field and the decoder instantly shows the decoded header and payload, all claims with descriptions, the token expiry status, and a live countdown to expiry. No signup or account required.

Is it safe to paste my JWT token here?

All decoding happens entirely in your browser. No JWT token you paste is ever sent to any server. However, be cautious about pasting production tokens in any online tool — consider using tokens from development or staging environments for debugging.

Can this tool verify the JWT signature?

No. Signature verification requires the secret key or public key used to sign the token. For security reasons this tool only decodes and inspects the header and payload — it does not perform signature verification. Use your backend or a trusted environment for signature verification.

What are JWT claims?

JWT claims are key-value pairs in the payload section of a JWT. Standard claims include sub (subject), iss (issuer), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Custom claims can be added for application-specific data like user roles, permissions, or IDs.

Is the JWT payload encrypted?

No. The JWT payload is only Base64url encoded, not encrypted. Anyone who has the token can decode and read the payload. Never store sensitive information like passwords or private keys in a JWT payload. Use JWE (JSON Web Encryption) if you need to encrypt the payload.

What does the exp claim mean in a JWT?

The exp claim (expiration time) is a Unix timestamp indicating when the token expires. After this time the token should be rejected by the server. This tool shows the exp value as a human-readable date and time and displays a live countdown to expiry.

What is the difference between iat and exp in JWT?

iat (issued at) is the Unix timestamp of when the token was created. exp (expiration) is when the token stops being valid. The difference between exp and iat gives you the token's total lifetime. Both are displayed as human-readable dates by this decoder.

Related Tools

Image to Base64

Encode image to Base64 string or decode Base64 to image instantly. Fast and free.

Try Now

URL Encoder / Decoder

Encode or decode URLs and query strings instantly in your browser. Free online URL encoding tool for developers.

Try Now

Base64 Encoder / Decoder

Encode text or decode Base64 strings instantly in your browser. Free online Base64 encoder and decoder tool for developers.

Try Now

JSON Formatter

Format, validate, and minify JSON online. Includes an advanced syntax checker and compare diffing.

Try Now

Color Code Converter

Convert colors between HEX, RGB, HSL, HSV, and CMYK formats instantly. Free online color converter with live preview for developers and designers.

Try Now

Word Counter

Instantly calculate words, characters, sentences, paragraphs, Keyword Density and reading time.

Try Now