Is it safe to decode a JWT in the browser?

Yes. The header and payload are only Base64url-encoded, not encrypted. Anyone with the token can read them. This tool decodes locally — your token never leaves your browser.

What's the difference between JWS and JWE?

JWS (JSON Web Signature) is what most people mean by 'JWT' — the payload is readable but signed. JWE (JSON Web Encryption) encrypts the payload so it can't be read without the key.

Can I verify a JWT signature with this tool?

This tool decodes and displays the header and payload. Signature verification requires the secret or public key, which this tool doesn't ask for to protect your security.

Why does my JWT have an 'exp' claim in the past?

The exp (expiration) claim is a Unix timestamp. If it's in the past, the token has expired. Check the iat and exp claims to see the token's valid window.

JWT Decoder

Decode and inspect JSON Web Tokens client-side. Nothing is sent to any server.

Privacy: All calculations run entirely in your browser. No data is sent to any server.

What is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded parts separated by dots: header.payload.signature. JWTs are widely used for authentication, authorization, and information exchange in web APIs. The header specifies the signing algorithm, the payload contains claims (user data, expiration, etc.), and the signature verifies integrity.

JWT Structure Explained

Every JWT has three parts separated by dots. The header declares the algorithm and token type. The payload carries the claims — statements about the user and metadata. The signature is created by signing the encoded header and payload with a secret or private key.

// Header (algorithm & token type)
{
  "alg": "HS256",
  "typ": "JWT"
}

// Payload (claims)
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

// Signature
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

Common JWT Claims

iss (Issuer): Who issued the token
sub (Subject): The user or entity the token represents
aud (Audience): The intended recipient
exp (Expiration): When the token expires (Unix timestamp)
nbf (Not Before): Token not valid before this time
iat (Issued At): When the token was created
jti (JWT ID): Unique identifier to prevent reuse

When to Use JWTs

Stateless authentication: No server-side session storage needed
Single Sign-On (SSO): Share auth across microservices
API authorization: Include permissions/roles in token claims
Information exchange: Signed tokens verify sender identity

Frequently Asked Questions

Is it safe to decode a JWT in the browser?: Yes. The header and payload of a JWT are only Base64url-encoded, not encrypted. Anyone with the token can read them. The signature prevents tampering but doesn't hide the contents. This tool decodes locally — your token never leaves your browser.
What's the difference between JWS and JWE?: JWS (JSON Web Signature) is what most people mean by 'JWT' — the payload is readable but signed. JWE (JSON Web Encryption) encrypts the payload so it can't be read without the key. Most authentication systems use JWS.
Can I verify a JWT signature with this tool?: This tool decodes and displays the header and payload. Signature verification requires the secret key or public key, which this tool doesn't ask for to protect your security. For verification, use your application's JWT library.
Why does my JWT have an 'exp' claim in the past?: The exp (expiration) claim is a Unix timestamp. If it's in the past, the token has expired. Most JWT libraries reject expired tokens automatically. Check the iat (issued at) and exp claims to see the token's valid window.

Guides

Check if JWT Token is Expired Decode JWT Claims Online

Related Tools

Base64 Encode/Decode

Encode text to Base64 or decode Base64 to text instantly.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.

Unix Timestamp Converter

Convert between Unix timestamps and human-readable dates.

JSON Formatter & Validator

Format, validate, and minify JSON with syntax highlighting.