JWT Decoder

Paste your JSON Web Token below to decode its header and payload.

Understanding JSON Web Tokens (JWTs)

JSON Web Tokens (JWTs) are an open, industry standard (RFC 7519) method for representing claims securely between two parties. This decoder helps you inspect and understand the contents of JWT tokens without verification.

Token Structure

  • Header: Algorithm and token type metadata
  • Payload: Claims and user information
  • Signature: Cryptographic verification data
  • Format: header.payload.signature
  • Encoding: Each part is Base64URL encoded
  • Separation: Parts separated by dots (.)

Common Header Fields

  • alg - Signing algorithm (e.g., HS256, RS256)
  • typ - Token type (usually "JWT")
  • kid - Key ID for key rotation
  • cty - Content type (for nested JWTs)
  • crit - Critical header parameters

📋 Claims Reference

Registered Claims

iss Issuer

Identifies the principal that issued the token

sub Subject

Identifies the principal that is the subject of the JWT

aud Audience

Recipients that the JWT is intended for

exp Expiration

Time after which the JWT expires (Unix timestamp)

Additional Claims

nbf Not Before

Time before which the JWT must not be accepted

iat Issued At

Time at which the JWT was issued (Unix timestamp)

jti JWT ID

Unique identifier for the JWT

custom Private Claims

Application-specific claims (e.g., roles, permissions)

Security Analysis

🔍 What to Check

  • Algorithm: Verify expected signing algorithm
  • Expiration: Check if token is still valid
  • Issuer: Confirm token source is trusted
  • Audience: Ensure token is intended for your app
  • Claims: Validate all security-relevant claims
  • Signature: Always verify in production!

⚠️ Security Warnings

  • No Verification: This tool only decodes, doesn't verify
  • Sensitive Data: JWTs are not encrypted by default
  • Algorithm None: Beware of unsigned tokens
  • Key Confusion: Validate algorithm matches expected
  • Replay Attacks: Implement proper token tracking
  • Storage: Use secure storage mechanisms

🕒 Timestamp Decoder

Unix timestamps in JWTs can be converted to human-readable dates:

Current Time

1750048332

6/16/2025, 4:32:12 AM

Example: 1516239022

1/18/2018, 1:30:22 AM

1 Hour from Now

1750051932

6/16/2025, 5:32:12 AM

🔗 Related Tools

Create JWT Tokens Base64 Encoder/Decoder SHA256 Hash Generator