AIAPIDate & TimeImageJSONMathNext.jsSecuritySEOTextDesignDatabase
All ToolsWorkspacesWorkflowsLearnError EncyclopediaAboutPrivacyTermsContactEmail

© 2026 Web Util Slyce. All tools run client-side — your data stays private.

How to Decode a JWT Token

JWT decoding extracts and displays the header and payload from a JSON Web Token. Each JWT has three parts encoded in Base64URL format, separated by dots.

Try JWT Decoder

What is this use case?

A JWT token consists of three Base64URL-encoded segments: Header (algorithm and token type), Payload (claims like user ID, expiration, and permissions), and Signature (verifies the token hasn't been tampered with).

Step-by-Step Guide

1

Copy your JWT

Get the JWT from your application's authorization header, local storage, or cookie.

2

Paste into decoder

Paste the complete JWT string (header.payload.signature) into the decoder input.

3

View decoded data

The tool decodes and displays the header and payload as formatted JSON, including all claims and timestamps.

4

Inspect claims

Check expiration (exp), issuer (iss), audience (aud), and custom claims. Verify timestamps are reasonable.

Tips & Best Practices

  • Never share JWT tokens — the payload is only base64-encoded, not encrypted. Anyone can decode and read the claims.
  • Check the expiration (exp) claim to see if your token is still valid.
  • Use a JWT generator to create test tokens for development.

Related Tools

JWT Decoder JWT Generator jwt.io vs JWT Decoder JWT vs Session

Frequently Asked Questions

Can I decode a JWT without the secret?

Yes. The header and payload are base64-encoded, not encrypted. You can decode them without any key. Only the signature requires the secret to verify.

How can I tell if a JWT is expired?

Look at the exp (expiration) claim in the decoded payload. It is a Unix timestamp. If it is in the past, the token is expired.