What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims like user ID, expiry, roles), and the Signature (used to verify integrity).

How do I check if a JWT is expired?

Paste your JWT into this decoder. The tool automatically reads the 'exp' claim and compares it to the current time, showing a clear VALID or EXPIRED status with the exact expiry datetime.

JWT Decoder — Decode & Verify JSON Web Tokens Online

Paste JWT Token Ctrl+Enter to decode

Header

▾

Payload

▾

▸ Raw JSON

Signature

▾

Signature verification requires the secret key and is not performed client-side. This tool only decodes the token structure.

How a JWT is structured

Three Base64URL-encoded parts separated by dots

HeaderAlgorithm & token type

PayloadClaims (user data, expiry…)

SignatureIntegrity verification

📋 Header

Specifies the token type (typ: JWT) and signing algorithm (alg), e.g. HS256, RS256, ES256.

📦 Payload

Contains claims: registered (iss, sub, exp, iat), public, and private claims carrying user or session data.

🔐 Signature

Created by hashing header + payload with a secret or private key. Verifying it requires the key — decoding does not.

⏱ Common Claims

exp = expiry, iat = issued-at, nbf = not-before, sub = subject, iss = issuer, aud = audience.

Frequently Asked Questions

Is it safe to paste my JWT here? +

All decoding is done entirely in your browser — no data is ever sent to any server. That said, avoid pasting live production tokens in shared or public computers, as JWTs can grant access to protected resources.

Can this tool verify a JWT signature? +

No — cryptographic verification requires the secret or public key used when the token was signed. This tool decodes and displays all contents without that key. To verify signatures, use your server-side library (jsonwebtoken, PyJWT, etc.).

What does "exp" mean and how is expiry checked? +

The exp claim is a Unix timestamp (seconds since Jan 1 1970 UTC) representing when the token expires. This decoder automatically reads that value and compares it to your current local time, showing a VALID or EXPIRED badge.

What is the difference between HS256 and RS256? +

HS256 uses a shared HMAC secret — both signing and verification use the same key, suitable for single-server apps. RS256 uses RSA asymmetric keys — the private key signs, the public key verifies, making it ideal for distributed systems where multiple services need to verify tokens without knowing the secret.

Why does the payload end with == padding sometimes? +

JWTs use Base64URL encoding which strips the = padding characters for cleaner URLs. This decoder handles both padded and unpadded variants automatically.

Is a JWT encrypted? +

Standard JWTs (JWS) are signed but not encrypted — the payload is Base64-encoded and anyone can read it. Never store sensitive secrets in a JWT payload unless you use JWE (JSON Web Encryption). Always transmit JWTs over HTTPS.

Related Tools