ToolCozy
JSON Format / DiffHOTBase64 CodecHOTURL CodecNEWTimestamp ConverterNEWUUID GeneratorHash CalculatorJWT DecoderQR Code GeneratorUnit ConverterNumber BaseData ConverterSQL FormatterIP Lookup
Image CompressHOTColor ConverterImage ConvertImage CropNEWApp Store ScreenshotNEW
Regex TesterNEWWord CounterText DiffMarkdown Preview

More Products

Playbit Games

Free online HTML5 games — play instantly in your browser

Kaola Screenshot

App Store screenshot generator with device frames & templates

Pillease

Simple pill reminder app — never miss a dose again

© 2026 ToolCozy·Privacy·Feedback

JWT Decoder

Decode JWT tokens, view Header, Payload & expiry status

About this tool

A JSON Web Token (JWT) is a compact, URL-safe string used to carry claims between two parties — most commonly to represent a logged-in user's session. It has three base64url-encoded parts joined by dots: header.payload.signature.

This decoder splits a JWT, base64url-decodes the header and payload, and shows you the resulting JSON along with key claim metadata (issued-at, expiration, time remaining). It does NOT verify the signature — anyone can decode a JWT, but only the holder of the signing key can prove it's authentic.

How to use

Decode a JWT

  1. Paste the full token (including both dots) into the input box.
  2. Header and payload are decoded immediately and displayed as pretty-printed JSON.
  3. Standard claims like iat, exp, nbf, iss, sub are highlighted; the expiration status (valid / expired / not-yet-valid) is computed against your local clock.
  4. Use the copy buttons to grab any individual section.

Examples

Decode a sample HS256 token

Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.signature
Output
Header:
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload:
{
  "sub": "1234567890",
  "name": "Alice",
  "iat": 1700000000,
  "exp": 1700003600
}
Status: expired (exp 2023-11-14 22:13:20 UTC)
Frequently asked questions
Does this verify the signature?

No. Verification requires the signing secret (HS256/HS512) or public key (RS256/ES256), which we don't have. This tool only decodes the header and payload so you can inspect claims. Treat decoded contents as untrusted unless you've verified the signature yourself.

Is it safe to paste a real JWT here?

Decoding runs entirely in your browser — nothing is uploaded. That said: a JWT effectively IS a credential. If you paste an active token, anyone who can see your screen can use it. Decode test or expired tokens when possible.

What does alg=none mean?

It means the token claims to be unsigned. Several historical libraries had vulnerabilities where they accepted alg=none and trusted the payload. Production verifiers should explicitly reject alg=none — it's almost never a legitimate value.

What are iat, exp, nbf?

Standard registered claims (RFC 7519). iat = issued at (Unix seconds). exp = expiration time. nbf = not before. iss = issuer. sub = subject (usually the user ID). aud = audience.

Why does the token use a weird base64 variant?

JWT uses base64url, which replaces + with -, / with _, and drops trailing = padding. This makes the token URL- and header-safe without escaping. The decoder handles this automatically.