How to Decode and Inspect JWTs
JWT Decoding
When to Decode JWTs
Decode JWTs when debugging OAuth flows, inspecting API authorization headers, verifying claim values, or checking whether a token has expired — without needing a backend.
JWT Structure
A JSON Web Token has three Base64URL-encoded parts separated by dots: header.payload.signature. The header contains the algorithm; the payload holds claims; the signature verifies integrity.
Common Claims
exp— expiration time (Unix seconds)iat— issued at timesub— subject (usually user ID)iss— issueraud— intended audience
Security Note
Decoding reveals the payload but does not verify the signature. A decoded JWT can still be forged. Never trust claims without signature verification using the issuer's public key or shared secret.
Frequently asked questions
Does this tool verify JWT signatures?
No. This decoder inspects the header and payload only. Signature verification requires the secret or public key and is not performed here.
Is it safe to paste production JWTs here?
Yes. All processing runs locally in your browser. Tokens are never sent to a server. However, treat decoded tokens as sensitive — anyone with the token can use it until it expires.
Why does my token show as expired?
The exp claim is compared against the current Unix timestamp. If exp is in the past, the token is expired and should be refreshed.