Decode any JSON Web Token (JWT) instantly. See the header algorithm, payload claims, expiry time, and signature. Runs entirely in your browser — your token is never sent anywhere.
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three parts: header (algorithm), payload (claims/data), and signature, separated by dots.
Paste your JWT token into the box above. The decoder instantly splits it into header, payload, and signature, and shows all claims including expiry time and subject.
This decoder runs entirely in your browser. Your JWT token is never sent to any server. However, avoid pasting production tokens with sensitive data into any online tool as a general security practice.
The expiry is stored in the "exp" claim as a Unix timestamp. This decoder automatically checks the expiry and shows whether the token is still valid or has expired.
HS256 is the signing algorithm: HMAC using SHA-256. It is the most common JWT algorithm. Others include RS256 (RSA with SHA-256) and ES256 (ECDSA with SHA-256).
No. Verifying the signature requires the secret key, which should never be shared. This tool only decodes (reads) the header and payload, which are base64 encoded but not encrypted.
JWTs are stateless — the server does not need to store them. Session tokens require server-side storage. JWTs are self-contained and can be verified without a database lookup.