JWT Decode

A JSON Web Token (JWT) has three Base64-encoded parts separated by dots: header.payload.signature. The decoder splits and decodes the header (algorithm, type) and payload (claims like user ID, expiration) into readable JSON.

No. Decoding simply reads the contents — anyone can do it. Verification checks the signature using the secret key or public key to confirm the token was not tampered with. This tool decodes only; verification requires the signing key.

Common claims: sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience), and custom claims like roles or permissions. The decoder shows all claims with human-readable timestamps for date fields.

The decoder reads the exp (expiration) claim and compares it to the current time. It clearly shows whether the token is valid or expired, and how much time remains or has passed since expiration.

HS256 (HMAC-SHA256): symmetric, uses a shared secret. RS256 (RSA-SHA256): asymmetric, uses public/private key pair. ES256 (ECDSA-SHA256): asymmetric, smaller keys. The decoder shows the algorithm in the header section.