Decode a JWT header and payload.
This tool decodes the header and payload only. The signature is not verified.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 4070908800
}A JWT decoder lets you instantly inspect the contents of any JSON Web Token without writing a single line of code. Paste your token and this tool splits and base64url-decodes the header and payload, displaying them as readable JSON. You can also check the expiry date and see at a glance whether the token is still valid — all client-side, so your token never leaves your browser.
A JSON Web Token (JWT) is a compact, URL-safe string made of three dot-separated parts: header, payload, and signature. Decoding the header reveals the signing algorithm (e.g. HS256, RS256) and token type. Decoding the payload shows the claims — user ID, roles, issued-at time, expiry, and any custom data the server embedded.
No. Decoding only reads the header and payload, which are base64url-encoded plain text. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA) and must be done server-side. Never trust a decoded JWT's claims in a security context without proper server-side verification.
The 'exp' claim is a Unix timestamp in seconds (UTC). If the token was issued with a short lifespan or your local system clock is significantly ahead of the server's, the token can appear expired immediately. Check that your system clock is correct and confirm the token's intended lifetime with whoever issued it.
The 'exp' (expiration time) claim is a standard JWT registered claim defined in RFC 7519. Its value is a Unix timestamp — the number of seconds since January 1, 1970 UTC. This decoder converts that number into a human-readable local date and time, and indicates whether the token is still valid or has already expired.