JWT Decoder
Decode & Inspect
View header, payload, and signature.
Expiration Check
Shows if token is expired with timestamps.
No Verification
Decodes only — never sends token to server.
Client-side
All processing in your browser. No data uploaded.
Giới thiệu về JWT Decoder
JSON Web Tokens (JWTs) are a compact, URL-safe standard for transmitting signed claims between parties, defined in RFC 7519. A JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims such as user ID, roles, and expiration time), and the signature. They are widely used in authentication flows — an API server issues a JWT after login, and the client includes it in every subsequent request so the server can verify identity without querying a database. This decoder lets you instantly inspect any JWT's contents. Paste a token and the tool decodes and pretty-prints the header and payload as formatted JSON, so you can read all the claims at a glance. Timestamp claims (exp, iat, nbf) are automatically rendered as human-readable dates, and expired tokens are flagged in red. Importantly, this tool never sends your token to any server — everything is decoded locally in your browser. Signature verification is intentionally not performed, keeping the tool simple and safe for inspecting tokens without needing a secret key.
Làm sao để JWT Decoder?
- Paste your JWT (starting with "eyJ...") into the text area at the top of the tool.
- The header and payload are decoded and displayed as formatted JSON automatically.
- Check the coloured badges near the top for expiration (exp), issued-at (iat), and not-before (nbf) times.
- A red "Expired" badge indicates the token's exp claim is in the past.
- Use the Copy buttons to copy the header or payload JSON to your clipboard.
- Inspect claim fields such as sub (subject/user ID), iss (issuer), and aud (audience) in the payload section.
Câu hỏi thường gặp
Does this tool verify JWT signatures?
No. This tool only decodes the Base64URL-encoded parts of the token — it does not verify the cryptographic signature. Signature verification requires the server's secret key or public certificate and should be done server-side.
Is it safe to paste my JWT here?
Be cautious with production tokens containing sensitive user data. This tool processes everything locally in your browser and never sends data to any server, but avoid pasting tokens from live production systems if possible. Use test or development tokens for inspection.
What are the standard JWT claims?
Common registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Payloads often also include custom application-specific claims.
What does "exp" mean and why is it important?
The exp claim specifies the expiration time of the token as a Unix timestamp. After this time the token should no longer be accepted. This tool highlights expired tokens in red so you can immediately see if a token has lapsed.
What algorithms can JWTs use?
The algorithm is specified in the header's "alg" field. Common options are HS256 (HMAC-SHA256, symmetric), RS256 (RSA-SHA256, asymmetric), and ES256 (ECDSA-SHA256). The "none" algorithm is considered insecure and should be rejected by servers.
Công cụ liên quan
Top 10 Free Tools Every Developer Needs
Boost your productivity instantly. Get our exclusive cheatsheet featuring the most essential web utilities you didn't know you needed, delivered straight to your inbox.
We respect your inbox. Unsubscribe at any time.