What are the three parts of a JWT token?

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and type), the Payload (claims like sub, exp, iat), and the Signature (cryptographic verification). This tool decodes the header and payload.

How do I check if a JWT token has expired?

Decode the JWT and check the exp (expiration) claim in the payload. Compare the exp Unix timestamp against the current time. If the current time is past the exp value, the token has expired.

JWT Decoder

Q: Is it safe to paste JWT tokens into an online decoder?

With this tool, yes. This JWT decoder runs 100% in your browser using client-side JavaScript. No token data is ever sent to any server. You can verify by checking the Network tab in your browser's developer tools.

Decode and inspect JSON Web Tokens. Header and payload are decoded — signature is not verified. Runs entirely in your browser.

JWT Token

What is a JWT (JSON Web Token) and How Does JWT Authentication Work?

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519 for securely transmitting claims between two parties. JWTs are the standard authentication mechanism for modern web applications, single-page apps (SPAs), mobile apps, and microservice architectures. They're used by OAuth 2.0, OpenID Connect, and countless API authentication systems.

Understanding the Three Parts of a JWT Token

Header — Contains the token type ("typ": "JWT") and the signing algorithm ("alg": "HS256", "RS256", etc.). Decoded from the first Base64URL segment.
Payload — Contains the claims — the actual data. Standard claims include sub (subject/user ID), iss (issuer), exp (expiration time), iat (issued at), and aud (audience). Custom claims can contain any application-specific data.
Signature — Created by signing the header and payload with a secret key (HMAC) or private key (RSA/ECDSA). This tool does not verify signatures — it only decodes the header and payload.

Common Debugging Scenarios for JWT Tokens

Checking if a token has expired — Compare the exp claim against the current time to diagnose 401 Unauthorized errors
Inspecting user roles and permissions — View custom claims like role, scope, or permissions embedded in the payload
Debugging OAuth 2.0 access tokens — Inspect tokens from providers like Auth0, Okta, Azure AD, AWS Cognito, or Firebase
Verifying token issuer and audience — Ensure iss and aud claims match your expected values
Understanding token structure for API integration — See exactly what data is included in access tokens and ID tokens

Is It Safe to Paste JWT Tokens Into an Online Decoder?

With this tool, yes. This JWT decoder runs 100% in your browser using client-side JavaScript. No token data is ever transmitted to any server. You can verify this by opening your browser's Network tab (F12 → Network) while decoding a token — you'll see zero outgoing requests. For production environments, you can also use atob() in your browser console for quick decoding.

JWT Security Best Practices

Always set an expiration time (exp) — never issue tokens that last forever
Use RS256 (asymmetric) instead of HS256 (symmetric) for public-facing APIs
Store tokens in HttpOnly cookies instead of localStorage to prevent XSS attacks
Never store sensitive data (passwords, credit cards) in JWT payloads — they are Base64-encoded, not encrypted
Implement token refresh rotation to limit the window of a stolen token

Frequently Asked Questions

The decoder splits the JWT into its three Base64Url-encoded parts (header, payload, signature), decodes the header and payload using JavaScript's atob() function, and displays the resulting JSON. It also checks the exp and nbf claims to show if the token is expired.

Yes. All decoding runs entirely in your browser using JavaScript — your token is never sent to any server. However, remember that JWT payloads are only Base64-encoded (not encrypted), so avoid sharing tokens publicly regardless of the tool you use.

This tool decodes and inspects the token contents but does not verify the cryptographic signature. Signature verification requires the secret key (HS256) or public key (RS256), which should be done server-side. The tool is designed for inspection and debugging, not authentication.

The tool displays all claims in both the header (alg, typ, kid) and payload (iss, sub, aud, exp, nbf, iat, jti, and any custom claims). Timestamps like exp, nbf, and iat are converted to human-readable dates for easy inspection.

Yes. JWTs follow the RFC 7519 standard regardless of the issuer. Tokens from Auth0, Firebase, Azure AD, AWS Cognito, Okta, and any other OIDC/OAuth2 provider can be decoded and inspected with this tool.

JWT Decoder

Related Tools

What is a JWT (JSON Web Token) and How Does JWT Authentication Work?

Understanding the Three Parts of a JWT Token

Common Debugging Scenarios for JWT Tokens

Is It Safe to Paste JWT Tokens Into an Online Decoder?

JWT Security Best Practices

Frequently Asked Questions

Related tools and guides

More DevKit tools

Helpful guides