Practical guide

How to Decode and Inspect a JWT Safely

A JSON Web Token normally contains a header, payload, and signature. Decoding reveals readable claims, but it does not prove that the token is valid.

Open the free tool

Step-by-step

  1. Copy a three-part JWT without extra spaces.
  2. Paste it into the JWT decoder.
  3. Review the header algorithm and payload claims.
  4. Check exp, nbf, iss, aud, and sub values.
  5. Verify the signature separately in your application.

Important tips

  • Do not paste sensitive production tokens into tools you do not trust.
  • Decoding is not signature verification.
  • Unix timestamps in JWT claims are usually measured in seconds.

Frequently asked questions

Can a decoded JWT be trusted?

No. Trust requires signature and claim validation.

What does exp mean?

The exp claim is the Unix timestamp after which the token should be rejected.

Related guides

Base64 Encoding and Decoding: A Practical GuideHow to Format, Validate, and Fix JSONHow to Create a QR Code That Scans ReliablyHow to Create and Manage Strong Passwords