JWT Decoder

A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: a header (algorithm and token type), a payload (claims/data), and a signature for verification. JWTs are commonly used for authentication and authorization in web applications.

Yes, decoding JWTs online is safe because the header and payload are only Base64URL encoded, not encrypted. Anyone can decode them. However, you should never share tokens containing sensitive data. The signature cannot be verified without the secret key, so decoding only reveals the claims, not whether the token is valid.

Check the "exp" (expiration) claim in the payload. It contains a Unix timestamp of when the token expires. If the current time is greater than the exp value, the token is expired. Our decoder automatically calculates and displays the expiration status.

Common claims include: "iss" (issuer), "sub" (subject), "aud" (audience), "exp" (expiration time), "nbf" (not before), "iat" (issued at), and "jti" (JWT ID). Custom claims can also be added to store application-specific data.

JWTs have three parts: 1) Header - contains the signing algorithm (e.g., HS256, RS256) and token type. 2) Payload - contains the claims (user data, expiration, etc.). 3) Signature - created by signing the header and payload with a secret key. These are Base64URL encoded and joined with dots.