JWT Decoder
Paste any JSON Web Token to decode and inspect its header, payload, and signature sections. View expiry, issuer, subject, and all claims. Note: this does not verify signatures.
Tokens are decoded client-side. Nothing is sent to our servers. Note: this tool only decodes — it does not verify signatures.
Why use a JWT Decoder & Inspector?
JSON Web Tokens are base64url-encoded strings that carry identity and authorization claims between services. Debugging authentication issues, verifying token expiry, or understanding what claims are being passed becomes easy when you can see the decoded payload instantly. This tool decodes tokens client-side — nothing is sent to any server — and highlights expiry status at a glance. For related tools, see our hash generator and bcrypt generator in the security category.
Three-part structure
A JWT consists of a base64url-encoded header, payload, and signature separated by dots — this tool decodes all three parts.
Expiry detection
Automatically compares the `exp` claim against the current time and shows whether the token is valid or has expired.
Claim mapping
Standard claims like `iss`, `sub`, `aud`, and `iat` are shown with their full human-readable names alongside the raw values.
JWT standard claim names
The JWT specification (RFC 7519) defines a set of registered claim names. Understanding these is essential for debugging auth flows.
| Claim | Full name | Type | Description |
|---|---|---|---|
| iss | Issuer | String / URI | Who issued the token (e.g. auth.example.com) |
| sub | Subject | String | Who the token represents — typically a user ID |
| aud | Audience | String / Array | Intended recipient(s) of the token |
| exp | Expiration Time | Unix timestamp | Token must not be accepted after this time |
| iat | Issued At | Unix timestamp | When the token was created |
| nbf | Not Before | Unix timestamp | Token must not be accepted before this time |
| jti | JWT ID | String | Unique identifier for the token — used to prevent replay attacks |