JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It consists of three base64url-encoded parts: header, payload, and signature, separated by dots.

Yes, completely free. No signup or account required.

All decoding happens entirely in your browser. Your token is never sent to a server.

Yes. Paste your HMAC secret into the Verify field and the tool checks whether the signature is valid for the given header and payload.

A JWT has three dot-separated parts: the header (algorithm and token type), the payload (claims/data), and the signature (verification hash). Each part is base64url encoded.

The payload is the middle section of a JWT. It contains claims — statements about the user or token such as sub (subject), iat (issued at), exp (expiration), and any custom fields.

exp is the expiration time claim. It holds a Unix timestamp (seconds since 1970-01-01). A token whose exp is in the past is considered expired and should be rejected by the server.

Decode the token and look at the exp claim. If the value is less than the current Unix timestamp, the token is expired. This tool shows a live expiry countdown automatically.

Yes. The header and payload are only base64url encoded, not encrypted — anyone can read them. The signature requires the secret to verify authenticity, but decoding the contents does not.

An API key is an opaque string that the server looks up in a database. A JWT is self-contained — the server can verify it using a secret or public key without a database lookup.

It means the token's signature does not match the expected value for the given header, payload, and secret. The token may have been tampered with or signed with a different key.

HS256 uses a shared HMAC secret — both sides must know the key. RS256 uses an RSA key pair — the server signs with a private key and anyone can verify with the public key.