What is a JWT token?βΎ
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are widely used for authentication and API authorization.
Is it safe to decode JWTs in the browser?βΎ
Yes. JWT payloads are not encrypted β they are simply Base64url-encoded, which anyone can decode. This tool decodes tokens entirely in your browser with no server calls, so your tokens are never transmitted or stored anywhere. However, never put sensitive secrets in JWT payloads since they are readable by anyone.
Does this tool verify JWT signatures?βΎ
No. This tool only decodes and displays the token contents. Signature verification requires the secret key or public key used to sign the token, which should only exist on your server. For security, always verify signatures server-side β never trust a JWT based on its decoded contents alone.
How do I check if a JWT is expired?βΎ
Paste your JWT into the decoder and look at the expiration status banner. If the token contains an 'exp' (expiration) claim, the tool automatically compares it to the current time and shows whether the token is still valid or has expired, along with the exact time remaining or elapsed.
What are common JWT claims?βΎ
Standard JWT claims include: iss (issuer β who created the token), sub (subject β who the token is about), aud (audience β intended recipient), exp (expiration time), iat (issued at), nbf (not before β token is not valid before this time), and jti (JWT ID β unique identifier). Custom claims can contain any application-specific data.
Is this JWT decoder free?βΎ
Yes, completely free with no signup required. Decode as many tokens as you need. All processing happens in your browser β no data is ever sent to any server.
