JWT Decoder – Decode JSON Web Tokens Online

A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit claims between two parties. It consists of three base64url-encoded parts separated by dots: a header (algorithm and type), a payload (the actual claims), and a signature.

All decoding happens entirely in your browser using JavaScript. Your JWT is never sent to any server. However, treat JWTs as sensitive data — they are credentials. Avoid pasting live production tokens in public environments.

The "exp" (expiration time) claim is a Unix timestamp (seconds since 1 Jan 1970 UTC) indicating when the token expires. After this time, the token should be rejected. This tool shows the human-readable expiry date and whether the token is currently expired.

The "iat" (issued at) claim is a Unix timestamp showing when the JWT was created. It is used to determine the age of the token and can be used to reject tokens that are too old.

No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). This tool decodes the token to read its claims but cannot verify the signature without the key.

HS256 uses a shared secret key (HMAC-SHA256) — the same key signs and verifies. RS256 uses an RSA public/private key pair — the private key signs the token and the public key verifies it. RS256 is preferred in distributed systems where multiple services verify tokens.

No. A session cookie stores a session ID that maps to server-side session data. A JWT is self-contained — all the user's claims are inside the token itself. JWTs are stateless; the server does not need to store anything to verify them.

Every JWT has exactly three parts: header.payload.signature. The header describes the algorithm. The payload carries the claims. The signature proves the token was issued by a trusted party and has not been tampered with. A token with fewer or more than three parts separated by dots is not a valid JWT.