JSONXML

Free JWT Decoder

Decode and inspect JWT tokens instantly. See header, payload, expiration, and algorithm. Runs in your browser — your tokens never leave your machine.

JWT Decoder
JWT Token

🔍 Token Inspection

Instantly decode any JWT and view the header, payload, and signature. See the algorithm, token type, and all claims at a glance.

⏱️ Expiration Check

Automatically detects issued-at and expiration timestamps. Shows whether the token is currently valid or expired.

🔒 Privacy & Security

All decoding happens locally in your browser using JavaScript. Your tokens are never sent to any server. Safe for sensitive data.

How to Decode a JWT

Paste your JWT token into the input field and the decoded header, payload, and signature appear instantly below. The header shows the signing algorithm and token type. The payload displays all claims including subject, issuer, expiration, and any custom data. Copy the decoded header or payload with one click.

Understanding JWT Structure

A JSON Web Token consists of three Base64URL-encoded parts separated by dots. The header declares the algorithm (e.g., HS256, RS256) and token type. The payload carries claims — standardized fields like iss (issuer), sub (subject), exp (expiration), and iat (issued at), plus any custom claims your application needs. The signature ensures the token hasn't been tampered with and is verified server-side using the signing key.

Frequently Asked Questions

What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64-encoded parts separated by dots: a header, a payload, and a signature.
Can this tool verify JWT signatures?
No — this tool only decodes and inspects JWT tokens. Signature verification requires access to the signing key or public certificate, which is a server-side operation. This tool shows you the decoded contents so you can inspect claims, expiration, and algorithm.
Is it safe to paste my JWT token here?
Yes — all decoding happens locally in your browser using JavaScript. Your token is never sent to any server. However, you should still avoid sharing tokens publicly, as they may contain sensitive claims.
What are the three parts of a JWT?
The header specifies the signing algorithm and token type. The payload contains the claims — data like user ID, roles, issuer, and expiration time. The signature is a cryptographic hash that verifies the token hasn't been tampered with.
How do I check if a JWT is expired?
Paste your token into the decoder. If the payload contains an 'exp' (expiration) claim, the tool will display the expiration timestamp and show whether the token is currently EXPIRED or VALID.
What algorithms do JWTs use?
Common algorithms include HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), and ES256 (ECDSA with SHA-256). The algorithm is specified in the token header and determines how the signature is generated and verified.

Related Tools

Base64 Encode / Decode

Encode text to Base64 or decode Base64 to text instantly in your browser. Free, private, no sign-up.

JSON Formatter

Pretty-print or minify JSON with configurable indentation. Free, runs in your browser.

JSON Viewer

View JSON as a collapsible tree with syntax coloring. Free, runs in your browser.