JWT Decoder
Decode JWT tokens and view header, payload and expiration.
JWT Decoder: analyze JSON Web Tokens instantly
JSON Web Tokens (JWT) are an open standard (RFC 7519) widely used to securely transmit information between parties as a compact JSON object. A JWT consists of three parts separated by dots: the header, the payload, and the signature.
This tool decodes the Base64URL-encoded parts of the JWT and displays them in readable JSON format. It also automatically identifies date fields like exp (expiration), iat (issued at), and nbf (not before).
All processing is done in your browser. No token is sent to external servers, which is essential for security since JWTs often contain sensitive information.
Frequently asked questions
What is a JWT and what is it used for?
A JWT (JSON Web Token) is a standard for creating access tokens that enable authentication and information exchange between a client and a server. They are primarily used in authentication systems (login), API authorization, Single Sign-On (SSO), and communication between microservices. Their compact format makes them ideal for including in HTTP headers or URL parameters.
Is it safe to decode a JWT in an online tool?
It is safe as long as the tool processes the token locally in your browser, as NexTools does. You should avoid tools that send the token to a server, since JWTs often contain sensitive data. It is important to understand that decoding is not the same as verifying: anyone can read the contents of a JWT, but only someone with the secret key can verify its signature and create valid tokens.
What do the fields exp, iat, and sub mean in a JWT?
These are standard claims defined in the JWT specification. "exp" (expiration) indicates when the token expires as a Unix timestamp. "iat" (issued at) marks the moment the token was issued. "sub" (subject) identifies the user or entity of the token. Other common claims include "iss" (issuer, who issued the token), "aud" (audience, who the token is intended for), and "nbf" (not before, from when the token is valid).
Want to learn more? Read our complete guide →