Is it safe to paste a JWT into jwtdecode?

Yes — jwtdecode runs entirely in your browser. No data is sent to any server. The token never leaves your device. Refresh the page and it is gone.

Can jwtdecode verify a JWT signature?

No. jwtdecode decodes the header and payload (which are just Base64url-encoded JSON), but it cannot verify the HMAC or RSA signature without the secret key or public key. Use a server-side library for verification.

A JSON Web Token (JWT) is a compact, URL-safe string made of three Base64url-encoded parts: header.payload.signature. The header names the algorithm; the payload carries claims like sub, exp, iat; the signature proves the token was issued by a trusted party.

What does exp mean in a JWT?

exp is the expiration time claim — a Unix timestamp (seconds since 1970-01-01 UTC) after which the token must be rejected. jwtdecode shows it as a human-readable date and flags whether the token is currently valid or expired.

Can I decode a JWT without a library?

Yes. Split the token on periods, take the first two parts, Base64url-decode each one, then parse the result as JSON. The third part (signature) is binary and cannot be decoded meaningfully without the key. That is exactly what jwtdecode does in the browser.

dev tools · vøiddo

jwtdecode

Q: What is the difference between HS256 and RS256?

HS256 uses HMAC with SHA-256 — a single shared secret signs and verifies the token. RS256 uses RSA with SHA-256 — a private key signs and a public key verifies. RS256 is preferred for APIs consumed by third parties because the verifier never needs the private key.

Paste any JWT and see the header, payload, and all claims as formatted JSON. Expiry detection, human-readable timestamps, algorithm name — no server, no storage, no signup.

npm i -g @v0idd0/jwtdecode

github → all tools

parts decoded

alg types shown

server calls

storage

paste jwt token

Signature (raw Base64url)
The signature is binary data — it cannot be decoded without the secret key or public key. Use a server-side library to verify authenticity.

common uses

three moments where jwtdecode helps.

debug auth failures

paste the token from the Authorization header

See if exp has passed, check sub and roles claims, confirm iss matches your expected issuer — before writing a single line of code.

verify claim structure

paste a token from your staging environment

Check that your auth server is including the expected custom claims (tenant, permissions, plan) before wiring them up on the backend.

check token age

paste a token that “should still be valid”

jwtdecode shows iat as a human-readable date and computes time-to-expiry so you can confirm the issue time matches what your server logged.

also a cli

use it in scripts, pipes, and pre-commit.

npm global install

$ npm i -g @v0idd0/jwtdecode

node 14+ on linux / macos / windows. zero runtime deps.

decode from stdin

$ echo "$TOKEN" | jwtdecode

Prints formatted header and payload JSON to stdout. Exit 0 on success, 1 on invalid token.

pipe to jq

$ echo "$TOKEN" | jwtdecode --payload | jq '.exp'

--header or --payload outputs only that part as raw JSON — pipe-friendly for CI scripts.

faq

common questions.

Is it safe to paste a JWT here?

Yes — jwtdecode runs entirely in your browser. No data is sent anywhere. The token never leaves your device. Refresh the page and it is gone.

Can jwtdecode verify the signature?

No. The header and payload are just Base64url-encoded JSON, so they decode trivially. The signature is binary and requires the HMAC secret or RSA public key to verify. Use a server-side library (jsonwebtoken, PyJWT, etc.) for signature verification.

What do exp, iat, and nbf mean?

exp (expires at) — Unix timestamp after which the token is invalid. iat (issued at) — when the token was created. nbf (not before) — the token is invalid before this time. jwtdecode shows all three as human-readable dates and computes whether the token is currently valid.

What is the difference between HS256 and RS256?

HS256 uses a single shared secret (HMAC-SHA256) — whoever verifies needs the same secret. RS256 uses an RSA key pair — the private key signs, the public key verifies. RS256 is preferred for APIs consumed by third parties because they never need the private key.

Can I decode without a library?

Yes. Split the token string on ., take parts 0 and 1, replace - with + and _ with /, pad to a multiple of 4 with =, then base64-decode and parse as JSON. That is exactly what this page does.

other dev tools by vøiddo.

comparison

jwtdecode vs jwt.io — privacy, analytics, and features compared

see comparison →

power user?

use this daily? tools.voiddo Pro · $9 one-time

supports 66 free tools · Pro license via Paddle · one flat price, no subscription

jwtdecode

three moments where jwtdecode helps.

debug auth failures

verify claim structure

check token age

use it in scripts, pipes, and pre-commit.

npm global install

decode from stdin

pipe to jq

common questions.

Is it safe to paste a JWT here?

Can jwtdecode verify the signature?

What do exp, iat, and nbf mean?

What is the difference between HS256 and RS256?

Can I decode without a library?

other dev tools by vøiddo.

secscan

passgen

envguard

secscan finds JWTs too