JWT Decoder
Paste any JSON Web Token to instantly decode the header, payload, and check expiry status. Nothing is sent to a server.
// Paste a JWT above
// Paste a JWT above
Try an example (click to load):
⚡ Quick Answer
A JWT (JSON Web Token) has three base64url-encoded parts separated by dots: header (algorithm), payload (claims), and signature. To decode: split on ".", base64url-decode each part, parse as JSON. The signature cannot be verified without the secret key.
What is a JWT?
JSON Web Tokens (JWT, pronounced "jot") are an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. They are commonly used for authentication — after login, a server issues a JWT that the client includes in subsequent requests.
JWT Structure
// A JWT looks like this:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIn0.SflKxwRJSMeKKF2QT4fw
header · payload · signature
Common JWT Claims Reference
| Claim | Name | Type | Description |
|---|---|---|---|
| iss | Issuer | String | Who issued the token |
| sub | Subject | String | Who the token is about |
| aud | Audience | String/Array | Who the token is for |
| exp | Expiration | Unix timestamp | When the token expires |
| iat | Issued At | Unix timestamp | When the token was issued |
| nbf | Not Before | Unix timestamp | Token not valid before this time |
| jti | JWT ID | String | Unique identifier for this token |
How to Decode a JWT in Code
// JavaScript
function decodeJwt(token) {
const [header, payload] = token.split('.');
const decode = str => JSON.parse(
atob(str.replace(/-/g,'+').replace(/_/g,'/'))
);
return {
header: decode(header),
payload: decode(payload)
};
}
// Check expiry
const { payload } = decodeJwt(token);
const isExpired = payload.exp < Date.now() / 1000;// Python
import base64, json, time
def decode_jwt(token):
parts = token.split('.')
def decode(part):
padded = part + '=' * (4 - len(part) % 4)
return json.loads(base64.urlsafe_b64decode(padded))
return {
'header': decode(parts[0]),
'payload': decode(parts[1])
}
decoded = decode_jwt(token)
is_expired = decoded['payload']['exp'] < time.time()// Go
import (
"encoding/base64"
"encoding/json"
"strings"
"time"
)
func decodeJWT(token string) (map[string]interface{}, error) {
parts := strings.Split(token, ".")
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
var claims map[string]interface{}
json.Unmarshal(payload, &claims)
return claims, nil
}
// Check expiry
exp := int64(claims["exp"].(float64))
isExpired := exp < time.Now().Unix()Related Guides & Tutorials
// developers also readSession Management with Timestamp Expiration
How JWT exp claims work with Unix timestamps for secure session management.
Webhook Timestamp Security
Validate JWT timestamps in webhook payloads to prevent replay attacks.
Unix Timestamp Precision Guide
How JWT exp and iat claims use Unix timestamps and precision implications.