JWT Decoder
Last updated:
Jsonic's JWT Decoder splits a JWT token into its three parts and decodes the header and payload from Base64url encoding. The header typically contains the signing algorithm (alg) and token type (typ). The payload contains claims such as sub, iat, and exp. The signature is displayed but not cryptographically verified — that requires the secret key.
How to decode a JWT token
- Paste your JWT token into the input field.
- Click Decode.
- The header and payload are shown as formatted JSON.
- The signature is displayed but not verified.
FAQ
Does this verify the JWT signature?
No. Signature verification requires the secret key. This tool only decodes and displays the header and payload.
Is my token sent to a server?
No. Decoding runs entirely in your browser. Your token never leaves your machine.
What is in the JWT header?
The header contains the algorithm (alg) and token type (typ), e.g. {"alg": "HS256", "typ": "JWT"}.
What is in the JWT payload?
The payload contains claims — typically sub (subject), iat (issued at), exp (expiration), and any custom fields set by the issuer.
How do I check if a JWT is expired?
Look for the exp claim in the payload. It is a Unix timestamp (seconds since 1970-01-01). Compare it to the current time. This tool displays exp as a human-readable date.
What is the difference between HS256 and RS256?
HS256 uses a shared secret for signing and verification. RS256 uses a private key to sign and a public key to verify — common in OAuth 2.0 and OpenID Connect.
Can I decode any JWT format?
This tool decodes standard three-part JWTs (header.payload.signature). It does not support JWE (encrypted tokens).