JWT Decoder

How to Use Paste the full JWT token (the string starting with 'eyJ...') into the input field. The Header, Payload, and Signature sections are decoded and formatted automatically. Check the Payload for claims like exp (expiry time), iat (issued at), and sub (subject). The tool tells you whether the token is expired. Who Is This For Backend developers building JWT-based authentication, engineers debugging failing API requests, and frontend developers who need to inspect session or access token contents. Key Features • Header / Payload / Signature parsing • Automatic Base64URL decoding • Expiry time (exp) calculation and status display • Algorithm (RS256, HS256, etc.) identification • JSON formatting for readability Frequently Asked Questions Q: Does decoding also verify the signature? A: No, this tool only decodes (shows the content). Signature verification requires the secret key or public key and must be done server-side. Q: Is it safe to put sensitive data in a JWT payload? A: No. The Payload is only Base64-encoded, not encrypted. Anyone can decode it. Never put passwords or secrets in a JWT. Q: Why does the exp timestamp look different from my local time? A: exp is a UTC Unix timestamp. Korea time (KST) is UTC+9, so there will be a 9-hour offset. Tips When you get a 401 Unauthorized error, check the token's exp field with this tool first — expiry is the most common cause. In development, verify that newly generated tokens have the expiry time you intended.