A JSON Web Token (JWT) is a compact, URL-safe format for transmitting signed claims between parties. It consists of three Base64URL-encoded parts separated by dots: header, payload, and signature.

Is it safe to paste a JWT token here?

Yes. The JWT Decoder runs entirely in your browser. Your token is never sent to any server. However, treat production tokens as secrets — use test or expired tokens when possible.

What does the exp claim mean?

exp is a Unix timestamp (seconds since epoch) indicating when the token expires. The decoder converts it to a human-readable date so you can instantly see if a token has expired.

Decode a JWT Token | Daily Developer Tools

Try it now

Open JWT Decoder with a ready-to-run example.

Try it now

When you need this

A login is failing and you need to inspect the token your API is receiving.
You want to check whether a JWT has expired by reading the exp claim.
You need to verify the aud, iss, or role claims are correct before debugging further.
You received a token from a third-party OAuth provider and need to understand its structure.

How to do it with Daily Developer Tools

Paste the full JWT (all three dot-separated parts) into the JWT Decoder input.
The tool immediately splits and Base64URL-decodes the header and payload.
Check the exp, iat, aud, and iss fields in the decoded payload panel.
Optionally paste an HMAC secret to verify the signature (HS256/384/512).

Tips / common pitfalls

Decoding is not verification — anyone can decode a JWT. Signature verification confirms it was issued by a trusted party.
The exp and iat values are Unix timestamps in seconds, not milliseconds.
If a token has three parts but the header or payload decodes to garbage, the token may be malformed or use a non-standard encoding.
Never paste a live production token into any online tool. Use an expired token or a test token for debugging.

Examples & test data

Admin user token with expiry

Open tool with this example

Input — JWT token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDg2NDAwLCJhdWQiOiJhcGkuZXhhbXBsZS5jb20ifQ.signature

Decoded header

{"alg":"HS256","typ":"JWT"}

Decoded payload

{
  "sub": "user_123",
  "role": "admin",
  "iat": 1700000000,
  "exp": 1700086400,
  "aud": "api.example.com"
}

Service-to-service token with custom claims

Open tool with this example

Input — JWT token

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleS0wMDEifQ.eyJpc3MiOiJhdXRoLmludGVybmFsIiwic3ViIjoic3ZjLWJpbGxpbmciLCJhdWQiOlsicGF5bWVudHMuaW50ZXJuYWwiXSwic2NvcGUiOiJwYXltZW50czp3cml0ZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAzNjAwfQ.rs256-signature

Decoded payload

{
  "iss": "auth.internal",
  "sub": "svc-billing",
  "aud": ["payments.internal"],
  "scope": "payments:write",
  "iat": 1700000000,
  "exp": 1700003600
}

FAQ

What is a JWT?

A JSON Web Token is a compact, URL-safe format for transmitting signed claims between parties. It has three Base64URL-encoded parts: header (algorithm), payload (claims), and signature.

Is it safe to paste a token here?

The decoder runs entirely in your browser — nothing is sent to a server. Still, best practice is to use expired or test tokens rather than live production credentials.

What does exp mean?

exp is a Unix timestamp (seconds since 1970-01-01T00:00:00Z) that marks when the token expires. The decoder shows this as a human-readable date and flags tokens that have already expired.

Why isn't the signature verified?

Decoding only Base64URL-decodes the header and payload — it does not check the signature. To verify, use the JWT & OAuth Security Toolkit which supports HS256/384/512 and RS256.

Related tools

JWT & OAuth Security Toolkit Base64 Encoder & Decoder Certificate & PEM Tools JSON Formatter

i Privacy-first: runs locally in your browser. No uploads.

Decode a JWT Token

Admin user token with expiry

Service-to-service token with custom claims

How to decode a JWT token

Common use cases

Why run this in your browser?