Question 1

What is a JWT?

Accepted Answer

A JSON Web Token (JWT) is a compact, URL-safe credential format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm + token type), a payload (claims like sub, iat, exp), and a signature that prevents tampering. JWTs are widely used for authentication and stateless session management.

Question 2

Does this tool verify the signature?

Accepted Answer

No. Signature verification requires the secret (HS256) or the public key (RS256/ES256), which should never be entered into a third-party tool. This decoder is for inspection only — verify signatures server-side using a trusted JWT library and your own keys.

Question 3

Is my token sent to any server?

Accepted Answer

No. Decoding is done entirely in your browser using btoa/atob and JSON.parse. The token never leaves your device. You can verify by opening DevTools → Network tab and confirming no requests are made when you paste a token.

Question 4

What do iat, exp, and nbf mean?

Accepted Answer

iat (issued at) is the Unix timestamp when the token was created. exp (expiration) is when it stops being valid. nbf (not before) is the earliest moment it should be accepted. The decoder shows each one with both an ISO timestamp and a human-friendly relative time like "expires in 2h".

Question 5

How do I know if a JWT is expired?

Accepted Answer

The decoder automatically compares the exp claim against the current time and shows an "Expired" badge if the token is no longer valid. Tokens without an exp claim cannot be checked this way and remain valid indefinitely unless revoked server-side.

Question 6

Why is the signature shown but not decoded?

Accepted Answer

The signature is a hash, not a message — it does not decode to readable JSON. It is shown as the raw Base64URL string so you can compare it byte-for-byte against what your auth server expects.

JWT Decoder

Zero Network Calls

Expiry Detection

One-Click Copy

Frequently Asked Questions

Is signature verification supported?

Does this work with RS256, ES256, and HS256?

Can I decode a token without internet?

Why are my tokens flagged as expired?