How to Use This Tool
- Paste your full JWT token (the eyJ… string) into the textarea.
- Click "Decode" to split and decode the token.
- Inspect the Header (algorithm, token type), Payload (claims, user data), and Signature sections shown in color-coded blocks.
- Check the expiry status badge — the tool shows whether the token has expired or how much time remains before it does.
Common Use Cases
- Debugging authentication issues by inspecting a JWT's claims and expiry time during API development.
- Verifying that a token contains the expected roles, user ID, or custom claims after generation.
- Checking whether a token has expired without having to write code or use a REPL.
- Understanding the structure and claims of JWTs issued by third-party identity providers (Auth0, Cognito, Firebase).
- Learning how JWT encoding works — seeing the raw header and payload alongside their Base64URL-decoded forms.
Frequently Asked Questions
Can this tool verify a JWT's signature?
No. Signature verification requires the server's secret key (for HMAC) or public key (for RSA/ECDSA), which you should never expose in a browser. This tool decodes the header and payload for inspection only.
Is it safe to paste a JWT here?
All decoding happens entirely in your browser — no data is sent to any server. That said, tokens granting access to sensitive resources should be treated as secrets. Invalidate and re-issue a token if you suspect it has been compromised.
Why does the JWT have three parts separated by dots?
A JWT consists of a Base64URL-encoded header, a Base64URL-encoded payload, and a signature, separated by periods. The header and payload are plaintext (just encoded, not encrypted) — only the signature is cryptographically generated.
What is the "exp" claim in the payload?
The "exp" (expiration time) claim is a Unix timestamp (seconds since 1 January 1970 UTC) after which the token must not be accepted. The tool converts this to a human-readable date and shows whether the token is currently valid or expired.