What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe token format used to securely transmit information between parties. It consists of three parts separated by dots: header.payload.signature. The header and payload are Base64URL-encoded JSON objects. The signature verifies the token was not tampered with. JWTs are widely used for authentication in web APIs.

What does exp, iat, and nbf mean in a JWT?

exp (expiration time): Unix timestamp after which the token is invalid. iat (issued at): Unix timestamp when the token was created. nbf (not before): Unix timestamp before which the token should not be accepted. All three are standard registered claims defined in RFC 7519.

Can this tool verify a JWT signature?

No. Signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA), which this tool does not have. This decoder only decodes and displays the token contents. To verify signatures, use a backend library like jsonwebtoken (Node.js), PyJWT (Python), or the jwt.io debugger with a key.

JWT Decoder - Decode JSON Web Tokens Online

Q: Is it safe to decode a JWT here?

Yes. This decoder runs entirely in your browser — no data is sent to any server. The token never leaves your device. You can safely paste tokens here to inspect their contents. However, avoid sharing tokens containing sensitive user data (like PII) in any public forum.

Q: What is Base64URL encoding?

Base64URL is a variant of Base64 encoding that uses '-' instead of '+' and '_' instead of '/' to make it safe for URLs and HTTP headers. It also omits padding characters ('='). JWT headers and payloads use Base64URL encoding, which is why they end with characters like 'eyJ'.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe method of representing claims between two parties. It is structured as three Base64URL-encoded sections joined by dots: header.payload.signature. JWTs are the most common format for authentication tokens in modern web APIs — when you log in to a web app, you often receive a JWT that proves your identity for subsequent requests.

The header identifies the token type and signing algorithm. The payload contains claims (key-value pairs) about the subject — typically user ID, roles, and expiry time. The signature ensures the token has not been tampered with.

How to Use This JWT Decoder

Paste any JWT into the input box. The decoder splits the token at the dots, Base64URL-decodes each section, and displays formatted JSON for the header and payload. If the payload contains an exp (expiration) claim, an indicator shows whether the token is currently valid or expired. Timestamp claims (iat, exp, nbf) are automatically displayed as human-readable dates.

JWT Structure Explained

Header

The header is a JSON object identifying the token type (typ) and the cryptographic algorithm used to sign it (alg). Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA-SHA256).

Payload (Claims)

The payload contains registered standard claims and custom application claims:

sub — Subject: the entity the token is about (usually a user ID)
iss — Issuer: who created the token
aud — Audience: who the token is intended for
exp — Expiration: Unix timestamp when the token expires
iat — Issued At: when the token was created
nbf — Not Before: earliest time the token is valid

Signature

The signature is a cryptographic hash of the header and payload. It prevents tampering — any change to the header or payload invalidates the signature. Verifying a signature requires the secret key or public key, which this client-side tool does not perform.

Security Notes

JWTs are not encrypted by default — the payload is only Base64URL-encoded and readable by anyone. Never put passwords, credit card numbers, or other secrets in a JWT payload.
Always verify signatures on the server side before trusting a JWT's claims.
Check expiry — expired tokens should be rejected even if the signature is valid.

Frequently Asked Questions

What is a JWT?

A JWT (JSON Web Token) is a compact token with three dot-separated sections: header, payload, and signature. It is used for authentication — after login, a server issues a JWT that the client sends with subsequent requests to prove identity. The server validates the signature to trust the claims.

Is it safe to decode a JWT here?

Yes. All decoding happens in your browser — nothing is sent to a server. The token never leaves your device. For production systems, avoid pasting tokens containing real user PII in any third-party tool.

What do exp, iat, and nbf mean?

exp = expiration time (Unix timestamp). iat = issued at time. nbf = not before time. All three are standard registered claims in RFC 7519. The decoder displays them as human-readable dates automatically.

Can this verify the JWT signature?

No — signature verification requires the signing key, which only the server knows. This tool decodes the header and payload only. To verify signatures, use a backend JWT library or jwt.io with your key.

What is Base64URL encoding?

Base64URL is a URL-safe variant of Base64 that replaces + with - and / with _, and omits padding (=). JWT sections start with eyJ because { in Base64URL always begins with those characters.