How do I check what's inside a JWT?

Paste the token — the tool shows header and payload as pretty-printed JSON, with timestamps (iat, exp, nbf) converted to human-readable dates. Useful for debugging API auth, checking user claims, and verifying token contents during OAuth integration.

Is JWT secure if I can decode it?

JWTs are signed, NOT encrypted. The payload is Base64-encoded JSON — anyone with the token can read it. Security comes from the signature: the issuer signs it so any tampering invalidates the token. Never put secrets in a JWT payload — only identifiers and claims.

How do I check if a JWT is expired?

The tool checks the 'exp' claim against current time. Shows EXPIRED or VALID in red/green. Useful when debugging 401 Unauthorized errors that might be expired-token issues.

Can I verify the signature?

If you provide the secret (HS256) or public key (RS256), yes — toggle 'verify signature' mode. Otherwise the tool only decodes (does not verify). For production debugging, always also verify on the server with the actual secret.

Are my tokens uploaded?

No — decoding runs entirely in the browser. Critical: never paste production tokens into untrusted online JWT decoders — even read access to a session token can let an attacker impersonate the user until it expires. This tool is browser-only with no logging.

What are the most common JWT claims?

iss (issuer), sub (subject / user ID), aud (audience / intended API), exp (expiry timestamp), iat (issued-at timestamp), nbf (not-before), jti (JWT ID). Plus custom claims: role, permissions, tenant_id, etc., depending on your app.

JWT Decoder - Decode JSON Web Tokens & Check Expiry Online

Paste any JSON Web Token to instantly decode its header and payload, view the signature, and check whether it has expired. Runs locally — your tokens never leave your browser.

Encoded JWT

This tool only decodes the token — it does not verify the signature against a secret or public key. Anyone with the token can read its payload, so never put secrets in a JWT.

About JSON Web Tokens

A JWT has three Base64URL-encoded segments separated by dots: header, payload and signature. The header describes the signing algorithm, the payload carries claims (like sub, iat, exp), and the signature lets a server verify the token has not been tampered with. Decoding never requires a secret.

Continue Enhancing Your Images

Take your photo editing to the next level with these popular tools

📝

Add Text to Image

Add captions and titles to your enhanced photo

🖼️

Add Photo Border

Frame your effect with beautiful borders

🗜️

Compress Image

Optimize your enhanced image for sharing

📐

Resize Image

Change image dimensions

📝

Add Text to Image

Add captions and titles to your enhanced photo

Try it now

🖼️

Add Photo Border

Frame your effect with beautiful borders

Try it now

🗜️

Compress Image

Optimize your enhanced image for sharing

Try it now

📐

Resize Image

Change image dimensions

Try it now

🎨

Photo to Cartoon

Try a different artistic style

Try it now

✏️

Pencil Sketch

Create artistic pencil drawings

Try it now

Explore All Photo Tools

Frequently Asked Questions

Paste the encoded JWT (the long eyJ… string) into the input box. The tool splits it on the two dots, Base64URL-decodes the header and payload, and shows the JSON for each plus the raw signature segment — all without making any network request.

usage

No. The decoder only parses the token — it does not check the signature against a secret or public key, because verification requires the issuer's key material. Use a server-side JWT library for production verification; this tool is for inspection and debugging.

technical

You get the header (algorithm and key id), the payload claims (sub, iss, aud, iat, exp and any custom claims) and the raw signature. Standard timestamp claims are formatted as human-readable dates so you can spot stale tokens at a glance.

features

If the payload contains the standard "exp" claim, the tool compares it to the current time and shows either "Valid until" or "Token expired at" with the exact timestamp. Tokens without an exp claim are reported as having no expiry.

features

Anyone who reads the payload of a JWT can use it until it expires, so production tokens belong in private tools. This decoder runs entirely in your browser and never transmits the token, but the safer rule is to decode short-lived development tokens whenever possible.

privacy

A JWT has three Base64URL-encoded segments separated by dots: header (signing algorithm), payload (the claims the issuer wants the verifier to trust) and signature (a MAC or digital signature over header.payload). Decoding never needs a key — only verification does.

technical

Use Cases

Debug OAuth & OpenID Connect Flows

Decode access tokens and ID tokens returned by Auth0, Okta, Cognito and Azure AD to verify scopes, audiences and issuers during local OAuth integration work

technical

Inspect Authorization Headers in API Calls

Paste the bearer token from a failing API request to confirm whether the wrong tenant, role or expiry is to blame before opening a ticket with the backend team

technical

Check Token Expiry During Development

Spot expired tokens that are silently breaking your staging environment by reading the exp claim — no need to copy the token into a terminal or write a quick script

technical

Audit Permissions Encoded in Token Claims

Verify custom claims such as roles, tenants and feature flags so admins can confirm a customer's token grants exactly the access intended by the licence team

business

Validate Single Sign-On Integrations

Inspect SAML and OIDC tokens produced by enterprise SSO integrations to confirm group memberships and attribute mappings before rolling out to all employees

business

Teach Token-Based Authentication

Use the decoded header, payload and signature panes to explain how JWTs are structured to bootcamp students, junior engineers and security workshop attendees

educational