🚀 Wow1

Online JWT Decoder

Decode, inspect, and validate JSON Web Tokens with expiry detection and claim analysis

JWT Decoder

Paste a JWT to decode it

💡 Press Ctrl + Enter to decode

How to Use JWT

  1. 1 Paste your JWT token into the input field
  2. 2 The token is decoded instantly as you type
  3. 3 View header (algorithm, type) and payload (claims)
  4. 4 Check the expiry status in the preview panel
  5. 5 Copy individual parts with one click

What You Get

Instant JWT decoder that shows header, payload, and signature parts. Color-coded display, claim descriptions, expiry detection with countdown timer.

Input: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Output: { "alg": "HS256", "typ": "JWT" } + payload claims

Input: Token with exp claim

Output: Shows "Expires in 2h 30m" or "Expired 5 minutes ago"

Input: Token with custom claims

Output: name, email, role, permissions displayed with icons

How do I decode a JWT token online?

Paste your JWT into the input field and it decodes instantly. You'll see three parts: header (algorithm info), payload (your claims data), and signature. No signup or software needed.

What is a JWT token and how does it work?

JWT (JSON Web Token) is a URL-safe string with three base64-encoded parts separated by dots: header.payload.signature. The header describes the algorithm, the payload contains your data (claims), and the signature proves it wasn't tampered with.

What are JWT claims and what do they mean?

Claims are key-value pairs in the payload. Standard claims: iss (who issued it), sub (user ID), exp (expiration timestamp), iat (issued at), aud (intended audience). Custom claims can be any data your application needs.

How do I check if a JWT token is expired?

Look for the "exp" claim in the payload. If the current Unix timestamp is greater than exp, the token is expired. This decoder shows a countdown timer and "Expired" or "Valid" badge automatically.

What does the JWT header contain?

The header has two fields: "alg" (the signing algorithm like HS256 or RS256) and "typ" (usually "JWT"). Some tokens also include "kid" (key ID) for key rotation.

Why can anyone decode my JWT without a secret?

JWTs are encoded, not encrypted. The payload is just base64, which anyone can decode. The secret is only used to verify the signature, not to hide the contents. Never store sensitive data in JWTs.

Is it safe to paste my JWT in an online decoder?

Only if it's client-side like this one. This tool processes everything in your browser - your token never leaves your device. Avoid server-side decoders for production tokens.

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric) - both sides need the same key. RS256 uses a private/public keypair (asymmetric) - sign with private, verify with public. RS256 is more secure for distributed systems.

Can I decode a JWT without knowing the secret key?

Yes. Decoding only reveals the header and payload, which are base64-encoded (not encrypted). The secret is only needed to verify the signature, not to read the token contents.

All processing happens in your browser. Your tokens never leave your device.