Decode and inspect JSON Web Tokens without validation.
Results
What is JWT Decoder?
JWT Decoder parses JSON Web Tokens into their three components — header, payload, and signature. See the algorithm, all claims with explanations, expiration status, and security assessment without needing command-line tools.
How to use this tool
Paste a JWT token (three dot-separated strings).
The header and payload are decoded and displayed with syntax highlighting.
Each claim is explained (iss=Issuer, sub=Subject, exp=Expiration, etc.).
Expiration is checked — see if the token is valid or expired with countdown.
Algorithm security rating is shown (HS256, RS256, or the dangerous "none").
Frequently asked questions
What is a JWT?
A JSON Web Token is a compact, URL-safe token format for securely transmitting claims between parties. It has three parts: header (algorithm), payload (data/claims), and signature (verification). Used widely for API authentication.
Is it safe to decode JWTs client-side?
The header and payload are just Base64-encoded, not encrypted — anyone can decode them. The security is in the signature, which prevents tampering. Never put sensitive data like passwords in JWT payloads.
What does algorithm "none" mean?
An unsigned token — no signature verification. This is a known security vulnerability. Attackers can forge tokens by setting alg to "none". Your server should always reject tokens with alg: none.
How do I know if a JWT is expired?
Check the exp claim — it contains a Unix timestamp of when the token expires. This tool automatically compares it to the current time and shows whether it's valid or expired.