JWT Decoder
Decode and inspect JSON Web Tokens instantly.
Header
Payload
Signature
Raw base64url-encoded signature. Verification requires the signing key.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe string that carries a set of claims between two parties. It is widely used for authentication and authorization — after a user signs in, the server issues a JWT that the client sends with every subsequent request to prove identity.
Every JWT has three parts separated by dots. The header declares the signing algorithm
(e.g. HS256 or RS256) and token type. The payload contains claims — registered ones
like sub (subject), iat (issued at), and exp (expiration), plus
any custom data. The signature is a cryptographic hash that lets the server verify the
token has not been tampered with.
Token expiry is one of the most common gotchas. The exp claim is a Unix timestamp in
seconds — if the current time exceeds it, the token is expired. Servers should always check expiry
before trusting a token. If you see "token expired" errors, compare the exp value with the
current time to see how far off it is.
Other common JWT pitfalls include mismatched algorithms (the server expects RS256 but the token header says HS256), clock skew between services, and confusing encoding with encryption — JWTs are only base64url-encoded, not encrypted, so anyone can read the payload.
Building a system that schedules webhook calls using JWTs for auth? Recuro handles execution, retries, and logging so you can focus on your application logic.
Frequently Asked Questions
How do I decode a JWT?
JWTs are base64url encoded, not encrypted — anyone can read the contents. Simply paste the token into the field above and this tool splits it on the two dots, base64url-decodes the header and payload segments, and displays the parsed JSON. The third segment is the cryptographic signature, shown as-is.
Is it safe to paste a JWT online?
Yes — this tool processes everything entirely in your browser. No data is sent to any server. That said, JWTs can contain sensitive claims (user IDs, emails, roles), so avoid sharing tokens in public channels and always verify you trust any tool before pasting credentials.
What is the exp claim in JWT?
The exp (expiration time) claim identifies the time after which the JWT must not be accepted for processing. It is expressed as a Unix timestamp in seconds since the epoch (January 1, 1970 UTC). Servers should reject tokens whose exp value is in the past.