JWT Decoder
Decode and inspect JSON Web Tokens instantly. View header, payload, and check expiry status.
Header
Payload
Signature
-
Note: Signature verification requires the secret key.
Token Status
Decode Without Secret
View header and payload without needing the signing key.
Expiry Check
Automatically detects if token is expired or still valid.
Formatted Output
JSON output with syntax highlighting for easy reading.
Frequently Asked Questions
How do I decode a JWT without knowing the secret?
Simply paste your JWT above! The header and payload are Base64 encoded but not encrypted - anyone can decode them. The signature is a cryptographic hash that ensures integrity, but you don't need the secret to read the data.
What do the three parts of a JWT mean?
A JWT has three parts separated by dots: 1) Header (algorithm like HS256), 2) Payload (your data like user_id, exp, roles), 3) Signature (verifies the token wasn't tampered with). All three are Base64 encoded.
Can I trust the expiry time shown?
Yes! The "exp" claim is standard and set by the server when issuing the token. However, always verify with server-side code in production - client-side decoding is just for debugging.
What's the difference between JWT and OAuth?
JWT is the token format (a signed JSON object). OAuth 2.0 is the authorization protocol that can use JWT as the token type. OAuth handles "who gets access to what", JWT is just the container for that information.