JWT Decoder

This JWT decoder lets you inspect JSON Web Tokens in your browser. View header, payload, signature, expiration status, and claims instantly.

Paste a JSON Web Token (JWT) and instantly see its decoded header, payload, and signature. The tool checks expiration status, displays all claims in syntax-highlighted JSON, and shows timestamps in human-readable format. Everything runs in your browser - your tokens are never sent to a server.

Ad
Ad

About JWT Decoder

What Is a JWT?

A JSON Web Token is a compact, URL-safe string used to securely transmit claims between two parties. It is the most common token format for API authentication, single sign-on (SSO), and stateless session management. A JWT consists of three Base64URL-encoded parts separated by dots:

PartContainsExample Content
HeaderAlgorithm and token type{"alg": "HS256", "typ": "JWT"}
PayloadClaims (the actual data){"sub": "1234", "name": "Alice", "iat": 1712390400}
SignatureVerification hashHMAC-SHA256(base64url(header) + "." + base64url(payload), secret)

The header and payload are simply Base64URL-encoded JSON - not encrypted. Anyone who has the token can decode and read the payload. The signature prevents tampering but does not hide the contents.

Registered JWT Claims

RFC 7519 defines a set of standard claims. These are not required, but most JWTs use at least iss, sub, exp, and iat.

ClaimFull NameTypePurpose
issIssuerStringWho created and signed the token (e.g., "auth.example.com")
subSubjectStringWho the token represents (usually a user ID)
audAudienceString or arrayWhich service(s) should accept this token
expExpiration TimeUnix timestampToken is invalid after this time
nbfNot BeforeUnix timestampToken is invalid before this time
iatIssued AtUnix timestampWhen the token was created
jtiJWT IDStringUnique identifier for this specific token (for revocation)

Applications typically add custom claims alongside these standard ones - things like "role", "email", "permissions", or "tenant_id". Custom claims should use namespaced names (like "https://example.com/roles") to avoid collisions.

JWT Signing Algorithms

The "alg" field in the header specifies how the signature is created. The algorithm choice affects security, performance, and key management.

AlgorithmTypeKeyUse Case
HS256HMAC (symmetric)Shared secretSingle service that both creates and verifies tokens
HS384HMAC (symmetric)Shared secretSame as HS256 with longer hash
HS512HMAC (symmetric)Shared secretSame as HS256 with longest hash
RS256RSA (asymmetric)Private key signs, public key verifiesMultiple services verify tokens from one issuer
RS384 / RS512RSA (asymmetric)RSA key pairSame as RS256 with longer hash
ES256ECDSA (asymmetric)EC key pair (P-256)Smaller keys and signatures than RSA
ES384 / ES512ECDSA (asymmetric)EC key pairSame as ES256 with larger curve
PS256RSA-PSS (asymmetric)RSA key pairMore secure padding than RS256
noneNo signatureNoneNever use in production - allows token forgery

Symmetric algorithms (HS*) use the same secret for signing and verification. Asymmetric algorithms (RS*, ES*, PS*) use a key pair - the private key signs and the public key verifies. Asymmetric algorithms are preferred in distributed systems where multiple services need to verify tokens without sharing a secret.

How Expiration Checking Works

This tool reads the "exp" claim (a Unix timestamp in seconds) and compares it to your system clock. It shows whether the token is currently valid, expired, or not yet valid (if "nbf" is present). The timestamps are displayed in your local timezone for easy reading.

ScenarioConditionStatus
Token is freshCurrent time < expValid (shows time remaining)
Token has expiredCurrent time > expExpired (shows how long ago)
No exp claimexp is absentNo expiration set
Not yet validCurrent time < nbfNot yet valid

Common JWT lifetimes: access tokens are typically 5-60 minutes, refresh tokens 7-30 days, and ID tokens 1-24 hours. Short-lived access tokens limit the damage window if a token is compromised.

JWT Security Considerations

RiskDescriptionMitigation
Token theftJWTs are bearer tokens - whoever has the token has accessUse HTTPS, httpOnly cookies, short expiration
Algorithm confusionAttacker changes alg from RS256 to HS256 and signs with the public keyAlways validate the algorithm server-side, never trust the header
"none" algorithmAttacker removes signature and sets alg to "none"Reject tokens with alg "none" in your verification logic
Sensitive data in payloadJWTs are encoded, not encrypted - anyone can read the payloadNever put passwords, credit cards, or secrets in JWT payloads
No revocationJWTs are stateless - you cannot invalidate one before it expiresUse short expiration + refresh tokens, or maintain a deny list
Oversized tokensLarge payloads increase every request's sizeKeep payloads minimal - use IDs, not full user objects

JWT vs Session Cookies vs API Keys

FeatureJWTSession CookieAPI Key
StatelessYes - no server-side storageNo - requires session storeDepends on implementation
Self-containedYes - claims are in the tokenNo - server looks up session dataNo - server looks up key
Cross-domainYes (in Authorization header)No (cookies are domain-bound)Yes (in header or query)
RevocableNot easily (stateless)Yes (delete session server-side)Yes (delete/disable key)
Size~800-2000 bytes typical~32 bytes (session ID)~32-64 bytes
Best forAPIs, microservices, SSOTraditional web appsServer-to-server, public APIs

Decoding Is Not Verification

This tool decodes JWTs for inspection and debugging. It does not verify signatures because verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), and handling cryptographic keys in a browser introduces security risks. Signature verification should always happen server-side using a trusted library (jsonwebtoken for Node.js, PyJWT for Python, java-jwt for Java).

Worked Example: Decoding a Real Token

Take this sample token (shortened for readability): eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzEyMzkwNDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c. Split on the two dots and Base64URL-decode each of the first two segments. The header decodes to {"alg":"HS256","typ":"JWT"}, telling you the token is signed with HMAC-SHA256. The payload decodes to {"sub":"1234567890","name":"Jane Doe","iat":1712390400}, where iat is a Unix timestamp that maps to 6 April 2024 08:40 UTC. The third segment is the signature - a 32-byte HMAC digest encoded in Base64URL. Without the shared secret you cannot recompute or verify that digest, which is why this tool leaves the signature as-is and shows a warning banner below it.

Base64URL is not quite the same as regular Base64. RFC 4648 Section 5 swaps + for -, / for _, and drops padding = characters so the token is safe to put in URLs and HTTP headers. A correct decoder has to re-add padding before calling atob() in the browser, which is exactly what this tool does internally.

How Long Should a JWT Live?

Shorter is better. The 2024 OWASP JSON Web Token Cheat Sheet recommends access tokens of 5 to 15 minutes, refresh tokens measured in days rather than weeks, and aggressive rotation on every refresh. Real-world defaults from major identity providers are broadly consistent with that guidance.

Provider / SpecAccess TokenRefresh TokenID Token
Auth0 default24 hours (configurable)Up to 30 days with rotation36,000 seconds (10 hours)
AWS Cognito1 hour (5 min to 24 h range)30 days (60 min to 10 years range)1 hour
Microsoft Entra ID60-90 min with variance90 days sliding, 24 hours inactiveMatches access token
OWASP recommendation5-15 minutesDays, rotated on every useShortest practical

Pair a short-lived access token with a longer refresh token and always rotate the refresh token on each use. That way a stolen access token is only useful for minutes, and a stolen refresh token only works until the next legitimate refresh invalidates it.

Common JWT Mistakes in Production

Most JWT bugs fall into a small set of patterns. If you are debugging token problems, check these before anything else.

  • Trusting the alg header. Never let the token tell the server how to verify it. Hard-code the expected algorithm in your verification call. The classic alg: none bypass and RS256-to-HS256 algorithm confusion attacks both rely on servers reading alg from the token itself.
  • Putting secrets in the payload. Passwords, full credit card numbers, medical records, or API keys in a JWT payload are readable by anyone with the token. Payloads are encoded, not encrypted. If you need encryption use JWE (JSON Web Encryption) instead of JWS.
  • Clock skew ignored. If your auth server and API server disagree on the current time by even 30 seconds, freshly issued tokens look nbf-invalid. Most libraries support a leeway option (typically 30-60 seconds) - use it.
  • Missing aud checks. An aud claim exists so one service can accept a token meant for it and reject tokens meant for a sibling service. Skipping the audience check lets an attacker replay a token across services.
  • Storing JWTs in localStorage. Any XSS on the page can read localStorage. For browser apps, httpOnly Secure cookies with SameSite=Lax or SameSite=Strict are the safer default, even though that reintroduces some of the complexity JWTs were supposed to avoid.
  • No revocation plan. JWTs are stateless by design, which means you cannot invalidate one before exp. Keep access-token lifetimes short, maintain a deny list for high-value tokens (admin sessions, password changes), and rotate refresh tokens aggressively.

Reading Specific Claims

Once decoded, the payload usually contains a mix of registered claims (from RFC 7519) and app-specific custom claims. This tool displays both in the Payload panel and highlights timestamp claims (exp, iat, nbf) in the lifetime summary. For inspecting the JSON structure in more depth, the JSON Formatter handles pretty-printing and validation. For converting between Unix epoch seconds and human time, the Unix Timestamp Converter covers both directions. And if you need to inspect the raw Base64URL segments byte-by-byte, the Base64 Encoder / Decoder can decode each part individually.

All processing happens in your browser - your tokens never leave your machine. That is especially important for JWTs because tokens are bearer credentials: anyone who holds a valid token can use it until it expires. Paste with confidence, but still treat production tokens as sensitive the way you would a password.

Sources

Frequently Asked Questions

What is a JWT and what are its three parts?

A JSON Web Token (JWT) consists of three Base64URL-encoded parts separated by dots. The header specifies the signing algorithm, the payload contains the claims (data), and the signature is used to verify the token's integrity. This tool decodes the header and payload so you can inspect the claims inside any JWT.

Can this tool verify JWT signatures?

No. Signature verification requires the secret key or public key used to sign the token, which cannot be safely handled in a browser. This tool decodes and displays the token contents for inspection and debugging purposes only. For production signature verification, use a server-side library.

Is it safe to paste my JWT into this tool?

Yes. All decoding happens entirely in your browser using JavaScript. Your token is never transmitted to any server. However, you should still avoid sharing JWTs publicly since they may contain sensitive claims such as user IDs or permissions.

How do I check if a JWT has expired?

After decoding, the tool reads the "exp" (expiration) claim from the payload and compares it to the current time. It displays whether the token is still valid or has expired, along with the exact expiration date and how much time remains or has passed since expiry.

Link to this tool

Copy this HTML to link to this tool from your website or blog.

<a href="https://toolboxkit.io/tools/jwt-decoder/" title="JWT Decoder - Free Online Tool">Try JWT Decoder on ToolboxKit.io</a>