Can I verify the JWT signature with this tool?

The decoder displays the signature but does not verify it. Signature verification requires the secret key or public key, which should not be entered into any online tool.

Is it safe to paste JWTs into online tools?

Toolin processes everything locally in your browser, so the token never leaves your device. Avoid pasting production tokens into tools that send data to a server.

Why is my JWT showing as expired?

The exp claim contains a Unix timestamp indicating when the token expires. If the current time exceeds that value, the token is expired and needs to be refreshed.

How to Decode a JWT Token

4 min readDeveloper

JSON Web Tokens (JWTs) are used for authentication and data exchange in web applications. This guide shows you how to decode and inspect JWT tokens to understand their contents, verify claims, and debug authentication issues.

Quick Steps

1
Open JWT Decoder
Go to the JWT Decoder on Toolin.
2
Paste the token
Enter the full JWT string.
3
Read the header
Check the signing algorithm and token type.
4
Inspect the payload
Review claims like user ID, roles, and expiration.

JWT Decoder

Decode and inspect JWT tokens

Open Tool

Step-by-Step: Decode a JWT

Open the JWT Decoder tool

Navigate to the JWT Decoder on Toolin.

Paste your JWT

Paste the full JWT string (the three dot-separated sections) into the input field.

Inspect the decoded parts

The tool displays the header, payload, and signature separately. The header shows the algorithm used. The payload contains the claims like user ID, expiration time, and roles.

Check token expiration

Look at the exp claim to see when the token expires. The tool shows this as both a Unix timestamp and a human-readable date.

Understanding JWT Structure

A JWT consists of three parts separated by dots: header, payload, and signature. The header specifies the signing algorithm (usually HS256 or RS256). The payload contains the claims, which are statements about the user and metadata. The signature ensures the token has not been tampered with. Each part is Base64URL-encoded, which is why the decoded content looks like JSON.

Common JWT Claims to Check

sub (subject): The user or entity the token represents.
exp (expiration): When the token becomes invalid.
iat (issued at): When the token was created.
iss (issuer): The service that issued the token.
aud (audience): The intended recipient of the token.

Try JWT Decoder Now — Free, No Sign-up

Frequently Asked Questions

Can I verify the JWT signature with this tool?: The decoder displays the signature but does not verify it. Signature verification requires the secret key or public key, which should not be entered into any online tool.
Is it safe to paste JWTs into online tools?: Toolin processes everything locally in your browser, so the token never leaves your device. Avoid pasting production tokens into tools that send data to a server.
Why is my JWT showing as expired?: The exp claim contains a Unix timestamp indicating when the token expires. If the current time exceeds that value, the token is expired and needs to be refreshed.