JWT Decoder
Decode and inspect JWT tokens without a secret key. View header algorithm, payload claims and expiry — useful for debugging API auth.
About This Tool
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting claims between parties as a compact, URL-safe string. A JWT consists of three Base64URL-encoded parts: Header (algorithm and token type), Payload (claims), and Signature. QuickKit's JWT Decoder decodes all three parts client-side without sending your token to any server — useful for debugging auth flows, inspecting claims, and checking token expiry.
Features
- ✓Decode Header & Payload — Instantly decode both the header and payload sections and display them as formatted JSON.
- ✓Expiry Check — Highlights the exp claim and tells you whether the token has expired based on the current time.
- ✓Signature Display — Shows the raw Base64URL-encoded signature so you can copy it for manual verification.
- ✓Fully Private — Your JWT is decoded entirely in-browser. No tokens are ever sent to our servers.
- ✓Error Handling — Shows a clear error message when the token format is invalid, rather than silently failing.
FAQ
- What are the three parts of a JWT?
- A JWT has the format xxxxx.yyyyy.zzzzz. The first part (Header) is a Base64URL-encoded JSON object specifying the signing algorithm (e.g. HS256). The second part (Payload) contains the claims — statements about the subject like user ID, roles, and expiry time. The third part (Signature) is computed from the header and payload using the secret key; it ensures the token has not been tampered with.
- Is it safe to paste my JWT here?
- Yes — decoding happens entirely in your browser and no data is transmitted to any server. That said, JWTs often contain sensitive user information. As a general security practice, avoid pasting production tokens into online tools you don't fully trust. This tool's source is open and all processing is local.
- Can this tool verify the JWT signature?
- No. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), which you should never expose to a browser-based tool in production. This decoder is for inspection and debugging only. Use your server-side library to verify signatures.
- What is the exp claim?
- The exp (expiration time) claim is a Unix timestamp indicating when the token expires. Servers should reject tokens with an exp value in the past. This decoder displays exp as a human-readable datetime so you can quickly check if a token is still valid without converting manually.