Frequently Asked Questions

What is a JWT token?

A JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting information between parties as a JSON object. A JWT consists of three Base64URL-encoded parts separated by dots: a Header (algorithm and token type), a Payload (claims/data), and a Signature. JWTs are widely used for authentication and authorization in web APIs.

How do I decode a JWT without a library?

A JWT has three parts separated by dots. Split the token on ".", then Base64URL-decode each part. The header and payload are JSON strings that can be parsed with JSON.parse(). The signature is raw binary data. This jwt decoder does exactly that — no library required. All decoding runs natively in your browser.

Is it safe to decode a JWT online?

This jwt decoder is completely safe to use. Your token is decoded entirely in your browser using native JavaScript — it is never sent to any server. You can verify this by opening DevTools → Network tab while decoding: there are zero outbound requests. The tool performs only decoding, not verification.

What is the difference between JWT decoding and verification?

Decoding a JWT simply reads the Base64URL-encoded data inside the token. Anyone can decode a JWT without the secret key. Verification checks the cryptographic signature to confirm that the token was issued by a trusted party and has not been tampered with. Verification requires the secret key or public key. This tool decodes only — it does not verify signatures.

What does the exp claim in a JWT mean?

The exp (expiration time) claim specifies the Unix timestamp after which the JWT must not be accepted. This jwt decoder automatically detects the exp claim and shows whether the token is currently valid or has expired, along with the human-readable expiration date and time remaining or time since expiry.