JWT Token
Decoded Output (click to copy)
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data exchange. It consists of three Base64URL-encoded parts: Header (algorithm), Payload (claims/data), and Signature — separated by dots.
Is JWT decoding safe?
Decoding is safe — anyone with the token can decode the header and payload, as they are simply Base64-encoded (not encrypted). The signature is what ensures integrity. Never put sensitive data like passwords in a JWT payload.
What is JWT signature verification?
This tool decodes the header and payload but does NOT verify the signature. Signature verification requires the secret key (HMAC) or public key (RSA/EC). Always verify signatures server-side before trusting token claims.
What are JWT claims?
Claims are the payload data: iss (issuer), sub (subject/user ID), aud (audience), exp (expiry timestamp), iat (issued at), nbf (not before). Custom claims can contain any data. The exp claim is checked here to show if the token has expired.
What does 'token expired' mean?
The exp (expiration) claim is a Unix timestamp. If the current time is past that timestamp, the token is expired. Expired tokens should be rejected by the server. Users typically need to log in again to get a fresh token.