Claims are statements about an entity typically the user stored in the JWT payload. Standard claims include iss for issuer, sub for subject, aud for audience, exp for expiration, iat for issued at, nbf for not before, and jti for JWT ID. Custom claims can also be included.

Home ToolsJWT Decoder

DEVELOPER SECURITY TOOL

JWT Decoder

🔐 Decode & inspect JSON Web Tokens instantly — Header, Payload, Claims, expiry status, algorithm & all standard claims. 100% client-side.

✅ 100% Free🔒 Never Sent to Server⚡ Instant Decode🛡️ All Algorithms

HS256 · RS256 · ES256 & More

Expiry Detection

All RFC 7519 Claims

Paste JWT Token

0 chars

Try samples:

🔧 How It Works

Decode and inspect any JWT token in seconds — no backend required

Paste Your JWT Token

Paste any JSON Web Token — from an Authorization header, cookie, or API response — into the input box

Instant Decode

Click Decode to instantly split and decode the Header, Payload, and Signature into readable JSON

Inspect & Verify

Review all claims, check expiry status, algorithm, issuer, roles and copy any value in one click

Frequently Asked Questions

Everything you need to know about JWT tokens and this decoder

Do I need to sign up or log in to use this tool?

No. All QuickTextTools are completely free to use online with no login, signup, or account required.

What is a JWT token?

JWT stands for JSON Web Token. It is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. JWTs are widely used for authentication and authorization in web applications and APIs.

Is it safe to paste my JWT token here?

Yes. All JWT decoding happens entirely in your browser using JavaScript. Your token is never sent to any server, stored, or logged. However, avoid sharing tokens containing sensitive production credentials with anyone.

What are the three parts of a JWT?

A JWT has three Base64Url-encoded parts separated by dots. The Header contains the algorithm and token type. The Payload contains the claims (data). The Signature verifies the token has not been tampered with.

Can this tool verify the JWT signature?

This tool decodes and inspects the Header and Payload of any JWT without signature verification. Signature verification requires the secret key or public key used to sign the token, which should never be shared publicly.

What JWT algorithms are supported?

The decoder supports all JWT algorithms for inspection including HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512 and PS256. The algorithm is displayed from the token header.

What are JWT claims?

Claims are statements about an entity (typically the user) stored in the JWT payload. Standard claims include iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), nbf (not before), and jti (JWT ID). Custom claims can also be included.

How do I check if a JWT is expired?

The tool automatically checks the exp (expiration) claim against the current time and displays whether the token is valid or expired, along with the exact expiration date and time remaining.