A JWT (JSON Web Token) is a compact, URL-safe token format that carries claims as a base64url-encoded header, payload, and signature, separated by dots.

What does this JWT tool do?

This tool decodes the header and payload of a JWT in your browser and shows human-readable iat, nbf, and exp timestamps along with an expiration status.

Does this tool verify the JWT signature?

No. Verifying a JWT signature requires the issuer's secret or public key, so this tool only decodes the token and does not validate the signature.

Is the JWT sent to a server?

No. Decoding happens entirely in your browser. The token is not sent to util.work or stored on the server.

What does exp mean in a JWT?

exp is the expiration time claim, expressed as a Unix timestamp in seconds. After this time, the token should be considered expired by the receiving system.

JWT Decoder Online

JWT decoder

All decoding happens in your browser. util.work does not send your JWT to a server.

JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "admin": true,
  "iat": 1714560000,
  "exp": 1999999999
}

iat: 2024-05-01 10:40:00 UTC (1714560000)

exp: 2033-05-18 03:33:19 UTC (1999999999)

Signature

tHvF9c4wQ7s9rE1cUzv-xL7gYxg9qKQUZbOf9rH2x4U

Signature verification requires the issuer's secret or public key, so this tool does not validate it.

What this JWT tool does

This page decodes a JSON Web Token in your browser and shows the header and payload as readable JSON, with human-readable timestamps for the iat, nbf, and exp claims and an expiration status badge.

If you searched for terms like JWT decoder, decode JWT online, JWT inspector, or JWT expiration check, this tool is built to give you a quick answer with a simple interface and no server round trip.

What is a JWT

A JWT (JSON Web Token) is a compact, URL-safe token format that carries claims between systems. It has three parts separated by dots: a base64url-encoded header, a base64url-encoded payload, and a signature. The header and payload are JSON objects; the signature protects them from tampering.

How JWT decoding works

Decoding a JWT means splitting it on the dots, base64url-decoding the first two segments, and parsing each as JSON. The signature segment is left as base64url because it is binary data. Decoding does not require the signing key, while verifying the signature does.

Decoding versus verification

This tool decodes a JWT so you can read its claims, but it does not verify the signature. Verification requires the secret (for HMAC algorithms like HS256) or the public key (for RSA and ECDSA algorithms like RS256 and ES256). For inspection and debugging, decoding alone is usually enough.

Common JWT claims

JWT payloads usually contain a mix of registered claims defined by the JWT standard and custom claims defined by the issuer. The table below lists the most common registered claims.

Claim	Meaning
`iss`	Issuer that produced the token
`sub`	Subject the token is about (often a user id)
`aud`	Audience the token is intended for
`exp`	Expiration time as a Unix timestamp in seconds
`nbf`	Not-before time the token starts being valid
`iat`	Issued-at time the token was created
`jti`	Unique identifier for the token

Reading exp, nbf, and iat

The exp, nbf, and iat claims are Unix timestamps measured in seconds since 1970-01-01 UTC. This tool converts them to a readable UTC time so you can quickly see when a token was issued, when it becomes valid, and when it expires.

Common JWT use cases

JWTs appear in many parts of modern applications. They are popular because they are compact, self-contained, and easy to pass through systems that expect text.

Authentication tokens between a frontend and an API
OAuth and OpenID Connect ID tokens
Service-to-service authorization in microservices
Short-lived signed links and password reset tokens

Privacy

All decoding happens locally in your browser. The token you paste is not sent to util.work and is not stored on the server. Even so, avoid pasting production tokens into any online tool you do not control yourself.