JWT Decoder

JWT Decoder

Decode and inspect JWT tokens. View header, payload, signature. Verify JWT expiration and claims. Free online JSON Web Token decoder and debugger

A JWT is three Base64URL-encoded strings joined with dots. Most "JWT not working" bugs are not about cryptography — they are about token expiration, clock skew between issuer and verifier, or claims that look right but are typed wrong. This decoder splits the token into header, payload, and signature, validates the structure, surfaces standard claims (iss, sub, aud, exp, iat, nbf), and tells you exactly which one is the problem.

What a JWT actually is

A JSON Web Token is defined by RFC 7519 and follows the JWS Compact Serialization from RFC 7515. The three segments are: a Base64URL-encoded JSON header describing the algorithm and token type, a Base64URL-encoded JSON payload of claims, and a Base64URL-encoded signature over the first two segments. Note: Base64URL, not Base64 — dashes and underscores replace + and /, and padding is omitted.

The signature proves the issuer holds the secret (for HMAC) or the private key (for RSA/ECDSA). The payload is signed but NOT encrypted. Anyone with the token can read its contents. If you put sensitive data in a JWT, you have just published it.

Working example

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

Header:  { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

iat: 1516239022 is a Unix timestamp = Thu, 18 Jan 2018 01:30:22 UTC. No exp claim means this token never expires — which is almost certainly a bug.

Claims you should care about

  • exp (expiration) — Unix timestamp in seconds, not milliseconds. The token is invalid at or after this time. Missing exp is a security smell.
  • iat (issued at) — when the token was created. Useful for catching tokens issued far in the past.
  • nbf (not before) — token is invalid before this timestamp. Almost never needed; usually omitted.
  • iss (issuer) — string identifying who minted the token. Always validate against an allowlist on the verifier side.
  • aud (audience) — who the token is for. If your service is not in the audience list, reject the token.
  • sub (subject) — usually a user ID. Treat as opaque; do not parse meaning out of it unless your own service issued the token.
  • jti (JWT ID) — unique identifier for replay protection or revocation lists.

When to reach for this tool

  • Your API returns 401 with no detail. Decode the token to find a missing or expired exp before blaming the auth layer.
  • You are migrating between two identity providers and need to compare what each one puts in the payload (often the iss, aud, and custom claims differ in subtle ways).
  • You want to confirm your "encrypted" JWT is actually JWS (signed) not JWE (encrypted) — JWEs have five segments, not three.
  • You are debugging clock-skew issues between issuer and verifier (exp slightly in the past, nbf slightly in the future) and want to see the timestamps in human form.

What this tool will not do

  • It will not verify the signature. Verification requires the issuer's secret or public key, which depends on your environment. Use the matching JWT library on the verifier side.
  • It will not decrypt JWE tokens. If the token has five segments separated by dots, it is encrypted, not just signed — you need the recipient's private key to decrypt.
  • It will not warn about JWT-spec antipatterns ("alg": "none" attacks, missing kid header, RS256-as-HS256 confusion). For those, run a real JWT security linter.

Tokens are decoded entirely in your browser. Production JWTs often contain user IDs, email addresses, and internal claims — pasting them into server-side decoders leaks that data. This one does not.

Frequently asked questions

Is the payload of a JWT encrypted?

No. It is Base64URL-encoded, which is reversible without any key. Anyone who has the token can read the payload. Put sensitive data in the session store, not in the JWT itself.

Why does my decoder show "Invalid token" for a token that works in Postman?

Usually a copy-paste issue: a trailing newline, a missing dot, or extra whitespace inside one of the segments. JWT segments must be exactly three pieces separated by single dots, with no whitespace anywhere.

Are exp and iat in seconds or milliseconds?

Seconds, per RFC 7519. JavaScript dates are in milliseconds, so multiply or divide by 1000 when converting. A common bug is passing Date.now() directly to exp — that is 1000x in the future and will look correct in tests but is a spec violation.

What is the difference between HS256 and RS256?

HS256 uses HMAC with a shared secret — anyone who can verify the token can also forge one. RS256 uses RSA with a public/private key pair — only the holder of the private key can sign, but anyone with the public key can verify. Use RS256 (or ES256) when the issuer and verifier are separate parties.

How do I tell if a JWT is expired without verifying it?

Decode the payload, take the exp claim, and compare to the current Unix timestamp in seconds. This tool does that automatically. Note that exp does not require verification to be honest about — but an attacker could obviously change it, so always combine with signature verification in production.

My JWT has a "kid" in the header. What is it?

Key ID. It tells the verifier which key (out of several the issuer may use) was used to sign this token. The verifier looks up the public key in a JWKS endpoint by kid. Useful when keys are rotated frequently.

Related tools

JWT Builder

Generate JSON Web Tokens with custom claims. Support for HS256, HS384, HS512 algorithms. Set expiration, issuer, subject, audience. Free online JWT generator

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes from text or files. Verify file checksums. Free online hash calculator and checksum generator

Base64 Encoder & Decoder

Encode and decode Base64 strings online. Convert text, files and images to Base64 format. Free Base64 encoder/decoder tool with copy button

Timestamp Converter

Convert Unix timestamps to human-readable dates and vice versa. Support for milliseconds, seconds, ISO 8601, RFC 2822 formats. Free epoch converter online

HTTP Status Codes Reference

Complete list of HTTP status codes with descriptions and examples. Learn 200, 301, 404, 500 error codes. Free HTTP response code reference guide

Last updated · E-Utils editorial team