JWT Decoder
Decode and inspect JWT tokens entirely in your browser. See header, payload, expiry timeline, and claims without sending your token to any server.
Learn more What is a JWT?
Debug auth tokens, inspect claims, and quickly confirm whether a token is expired or signed as expected.
What to expectPaste a JWT to instantly see its header, payload, signature details, and token lifecycle. Add a shared secret to verify HS* signatures.
Good to knowThis helps with inspection and verification, but it does not mint, refresh, or revoke tokens.
How it works
- Paste a JWT into the token box at the top of the page.
- Review the decoded header, payload, and claims, and optionally enter a shared secret to verify the signature.
- Use the lifecycle timeline and claim table to understand expiry and other key fields before copying or sharing.
All processing happens in your browser. Nothing you paste here is sent to any server or stored by DataSmith.io.
Paste a token to decode
Header details appear here after a valid JWT is entered.
Payload appears here
Paste a valid token to inspect claims and expiry.
Signature info appears here
Paste a valid token to inspect verification details.
Want a deeper explanation of JWTs? Read the What Is a JWT Token? guide.
Frequently Asked Questions
Is it safe to paste my production JWT into this decoder?
Yes. DataSmith.io's JWT decoder processes your token entirely in your browser using JavaScript. The token is never sent to any server, never stored, and disappears when you close or refresh the tab.
What is the exp claim in a JWT?
The exp (expiry) claim is a Unix timestamp indicating when the token expires. The decoder converts it to a human-readable date and shows a visual timeline of how much of the token's lifetime has elapsed so you can quickly judge whether it is still valid.
What is the difference between the header, payload, and signature in a JWT?
The header specifies the algorithm and token type, the payload contains the claims about the user or context, and the signature lets you detect tampering. The tool renders all three side by side so you can understand what your authentication system is actually issuing.
Can I verify the JWT signature with this tool?
Yes. You can optionally enter your shared secret to verify HS-family signatures entirely in your browser. For asymmetric algorithms and production-grade verification, you should continue to rely on your server-side JWT libraries and middleware.
Does this decoder validate that my JWT is still usable in production?
The decoder shows expiry status and common claims so you can reason about validity, but it does not replace your application's authorization logic. Always treat this as an inspection tool and keep your final access checks in your backend or API gateway.
Can this tool decode JWTs that use algorithms other than HS256?
As long as the token is a well-formed JWT with three base64url segments, the decoder can parse and show the header and payload regardless of algorithm. Signature verification in the UI is limited to shared-secret HS* algorithms; RSA and ECDSA tokens should still be verified in your auth layer.
What happens if I paste an invalid or truncated JWT?
If the token does not have exactly three dot-separated segments or cannot be decoded, the tool shows a clear "Invalid JWT" state instead of partial or misleading output. You can correct the token and paste it again without any data being stored or logged.
How to use this tool
Paste a JWT token to decode header, payload, and signature. Optionally enter the secret to verify the signature. Expiry and standard claims are shown with human-readable labels.