CalculatorWala
Blog

JWT Decoder

Free JWT Decoder: paste any JSON Web Token to instantly see its header, payload, and human-readable expiry, right in your browser.

This only decodes the token. It does not verify the signature.

Expired — expires Tue, 20 May 2025 21:03:42 GMT
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1716239022,
  "exp": 1747775022
}

exp: 1747775022Tue, 20 May 2025 21:03:42 GMT

iat: 1716239022Mon, 20 May 2024 21:03:42 GMT

Signature (not verified)
dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

JWT, Quick Facts

  • A JWT (JSON Web Token) has three Base64URL-encoded parts separated by dots: header.payload.signature.
  • The header and payload are plain JSON, not encrypted, anyone can decode and read them without a secret key.
  • Only the signature is cryptographically protected. It proves the token wasn't tampered with, but only if you verify it against the issuer's secret or public key.
  • Standard claims include exp (expiry), iat (issued at), nbf (not valid before), and sub (subject/user ID).

The Real Problem This Solves

A JWT looks like an unreadable blob of random characters, but it isn't encrypted, it's just Base64URL-encoded JSON. When an API call fails with an auth error, you need to see what's actually inside the token: is it expired, does it have the right claims, is it even well-formed.

This decodes it instantly and flags whether it's expired based on your local clock, all without ever sending your token anywhere.

How a JWT Is Structured

Each of the three segments is Base64URL-decoded independently. The header names the signing algorithm; the payload carries the actual claims (user ID, permissions, expiry); the signature is a cryptographic hash of the first two segments plus a secret key, which only the issuing server can verify.

Example: a payload like {"sub":"1234567890","exp":1747775022} means this token was issued for user 1234567890 and expires at the Unix timestamp 1747775022, decoded above into a readable UTC date automatically.

Frequently Asked Questions

Is my token safe to paste here?

Decoding happens entirely in your browser using JavaScript's built-in Base64 functions; the token is never sent to a server. That said, treat any live authentication token as sensitive and avoid pasting it into any tool you don't fully trust once you're done debugging.

Can this tool verify the signature?

No, verifying a signature requires the issuer's secret key (for HMAC algorithms like HS256) or public key (for RSA/ECDSA algorithms), which only the issuing server or a trusted party has. This tool decodes the readable parts and shows the signature, but cannot confirm the token was not forged.

Why does it say my token is expired?

The exp claim is a Unix timestamp; this tool compares it against your current local time. If exp is in the past, the token would be rejected by any API that properly validates JWTs.

What is the difference between a JWT and a session cookie?

A session cookie is typically a random ID the server looks up in its own database. A JWT is self-contained: all the claims travel inside the token itself, so a server can validate it, given the right key, without a database lookup, at the cost of being unable to instantly revoke it before expiry.

Can I decode any JWT, from any provider?

Yes. The JWT format (RFC 7519) is a standard used by Auth0, Firebase, AWS Cognito, and countless custom auth systems, this decodes any correctly formatted token regardless of issuer.

Building or inspecting a token by hand?

A JWT is just three Base64URL segments joined by dots. Encode or decode a segment manually with our Base64 Encoder/Decoder.

Open Base64 Encoder/Decoder
Disclaimer: This tool decodes JWT contents only; it does not verify the cryptographic signature. A decoded, readable payload does not by itself prove the token is authentic or untampered.