How do I decode a JWT?

Paste the token (a string with three dot-separated base64url segments) into Specway's JWT decoder. The header (algorithm + token type) and payload (claims) are decoded and displayed as formatted JSON. The signature is shown but not verified — verification requires the secret or public key, which you should never paste into a browser tool.

Is it safe to paste a JWT into an online decoder?

Specway's decoder runs entirely in your browser — no network request leaves the page. That said, JWTs aren't encrypted; anyone who has the token can decode the payload. Treat them like passwords: don't paste production tokens you wouldn't paste anywhere else, and rotate any token you've shared into a tool.

Why does the decoder say "signature not verified"?

Verification requires the secret (HS256) or public key (RS256/ES256) used by the issuer. We don't have those — you have. Decoding shows you what the token *claims*; verification proves it's *authentic*. Always verify on your server before trusting any claim.

Three base64url-encoded segments separated by dots: header (algorithm + type, e.g. {alg:'HS256', typ:'JWT'}), payload (claims like sub, iat, exp, iss, plus any custom data), and signature (cryptographic proof). The signature is computed over header.payload using the secret/key.

What do iat, exp, and sub mean?

Standard JWT claims: iat (issued-at) is the Unix timestamp of token creation. exp (expiration) is when the token stops being valid. sub (subject) identifies who the token is about — usually a user ID. Other common ones: iss (issuer), aud (audience), nbf (not-before), jti (unique token ID). All are optional but most servers require iat + exp.

Why are my JWT claims unreadable?

Three common causes: (1) the token isn't a JWT — many APIs use opaque tokens that look similar but aren't base64-encoded JSON. (2) The token is JWE (encrypted) instead of JWS — JWE has 5 segments, and the payload can't be decoded without the key. (3) Pasted with extra whitespace or a quote — strip surrounding characters and try again.

How long should JWTs live?

Short for access tokens (5–60 minutes), longer for refresh tokens (days to weeks). Long-lived access tokens become a liability if leaked — you can't revoke them server-side without an extra lookup, which defeats the stateless point of JWTs. If you need 24h+ access, build refresh-token rotation.

How do I decode a JWT?

Paste the token (a string with three dot-separated base64url segments) into Specway's JWT decoder. The header (algorithm + token type) and payload (claims) are decoded and displayed as formatted JSON. The signature is shown but not verified — verification requires the secret or public key, which you should never paste into a browser tool.

Is it safe to paste a JWT into an online decoder?

Specway's decoder runs entirely in your browser — no network request leaves the page. That said, JWTs aren't encrypted; anyone who has the token can decode the payload. Treat them like passwords: don't paste production tokens you wouldn't paste anywhere else, and rotate any token you've shared into a tool.

Why does the decoder say "signature not verified"?

Verification requires the secret (HS256) or public key (RS256/ES256) used by the issuer. We don't have those — you have. Decoding shows you what the token *claims*; verification proves it's *authentic*. Always verify on your server before trusting any claim.

Three base64url-encoded segments separated by dots: header (algorithm + type, e.g. {alg:'HS256', typ:'JWT'}), payload (claims like sub, iat, exp, iss, plus any custom data), and signature (cryptographic proof). The signature is computed over header.payload using the secret/key.

What do iat, exp, and sub mean?

Standard JWT claims: iat (issued-at) is the Unix timestamp of token creation. exp (expiration) is when the token stops being valid. sub (subject) identifies who the token is about — usually a user ID. Other common ones: iss (issuer), aud (audience), nbf (not-before), jti (unique token ID). All are optional but most servers require iat + exp.

Why are my JWT claims unreadable?

Three common causes: (1) the token isn't a JWT — many APIs use opaque tokens that look similar but aren't base64-encoded JSON. (2) The token is JWE (encrypted) instead of JWS — JWE has 5 segments, and the payload can't be decoded without the key. (3) Pasted with extra whitespace or a quote — strip surrounding characters and try again.

How long should JWTs live?

Short for access tokens (5–60 minutes), longer for refresh tokens (days to weeks). Long-lived access tokens become a liability if leaked — you can't revoke them server-side without an extra lookup, which defeats the stateless point of JWTs. If you need 24h+ access, build refresh-token rotation.

Free Tool

JWT Decoder (2026)

Decode JWT tokens to inspect header and payload. Detects expired tokens. Runs entirely in your browser — no upload, no logging. Signature is shown but not verified (verify server-side with your secret).

JWT token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 9999999999
}

Expires in 95137d

Signature not verified. Decoding does not check authenticity. Verify on your server with the shared secret or public key.

What a JWT actually is

A JSON Web Token is three base64url-encoded segments joined by dots: header.payload.signature.

The header declares the signing algorithm and token type. The payload carries claims — standard ones (iat, exp, sub, iss) plus whatever custom data the issuer attached. The signature is a cryptographic hash over header+payload, computed with a shared secret (HS256) or a private key (RS256/ES256).

The point of the signature is that anyone with the public key (or shared secret) can verify the token wasn't tampered with — without a database lookup. That's what makes JWTs "stateless."

Decoding ≠ verifying

This tool decodes — it splits, base64url-decodes, and shows you the claims. It does not verify the signature. Verification requires the secret (HS256) or public key (RS256/ES256), which you should never share with a browser tool.

On your server, every JWT-protected route should verify before trusting any claim. Use a battle-tested library — jsonwebtoken, jose, PyJWT — never roll your own. Common mistakes (accepting alg: none, mixing HMAC verification with an asymmetric key) have been weaponized for a decade.

Standard claims you should know

iat (issued at) — Unix seconds when the token was created.
exp (expiration) — Unix seconds when the token stops being valid. The decoder shows relative time (e.g. "expires in 12m").
sub (subject) — who the token is about. Typically a user ID.
iss (issuer) — who issued the token. Verify this matches your auth server.
aud (audience) — who the token is for. Verify this matches your service identifier.
nbf (not before) — Unix seconds before which the token is invalid (rarely used).
jti (JWT ID) — unique identifier for revocation lookup.

Sensible token lifetimes

Access tokens: 5–60 minutes. Short because you can't revoke a stateless JWT mid-flight — if a token leaks, you live with it until exp.

Refresh tokens: days to weeks. Stored server-side or in a httpOnly cookie. Used to mint new access tokens. Rotate on every use.

If your access tokens are 24h+, you're trading security for convenience. Build refresh rotation instead — modern client SDKs (NextAuth, Clerk, Auth0) handle it for you.

Ship API docs that stay this clean

Specway turns your OpenAPI spec into a branded developer portal — auto-synced, searchable, with built-in playground and code samples in every language. Free tier available.

Related tools

JSON Formatter

Pretty-print the decoded payload.

JSON Validator

Validate JSON syntax with line/column errors.

JSON Schema Validator

Validate JWT claims against an expected shape.

cURL to Code

Convert curl with Auth header to JS/Python.

Frequently asked questions

Free Tool

JWT Decoder (2026)

JWT token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 9999999999
}

Expires in 95137d

Signature not verified. Decoding does not check authenticity. Verify on your server with the shared secret or public key.

What a JWT actually is

A JSON Web Token is three base64url-encoded segments joined by dots: header.payload.signature.

The point of the signature is that anyone with the public key (or shared secret) can verify the token wasn't tampered with — without a database lookup. That's what makes JWTs "stateless."

Decoding ≠ verifying

Standard claims you should know

iat (issued at) — Unix seconds when the token was created.
exp (expiration) — Unix seconds when the token stops being valid. The decoder shows relative time (e.g. "expires in 12m").
sub (subject) — who the token is about. Typically a user ID.
iss (issuer) — who issued the token. Verify this matches your auth server.
aud (audience) — who the token is for. Verify this matches your service identifier.
nbf (not before) — Unix seconds before which the token is invalid (rarely used).
jti (JWT ID) — unique identifier for revocation lookup.

Sensible token lifetimes

Access tokens: 5–60 minutes. Short because you can't revoke a stateless JWT mid-flight — if a token leaks, you live with it until exp.

Refresh tokens: days to weeks. Stored server-side or in a httpOnly cookie. Used to mint new access tokens. Rotate on every use.

If your access tokens are 24h+, you're trading security for convenience. Build refresh rotation instead — modern client SDKs (NextAuth, Clerk, Auth0) handle it for you.

Ship API docs that stay this clean

Specway turns your OpenAPI spec into a branded developer portal — auto-synced, searchable, with built-in playground and code samples in every language. Free tier available.

Related tools

JSON Formatter

Pretty-print the decoded payload.

JSON Validator

Validate JSON syntax with line/column errors.

JSON Schema Validator

Validate JWT claims against an expected shape.

cURL to Code

Convert curl with Auth header to JS/Python.

JWT Decoder (2026)

What a JWT actually is

Decoding ≠ verifying

Standard claims you should know

Sensible token lifetimes

Ship API docs that stay this clean

Related tools

Frequently asked questions

How do I decode a JWT?

Is it safe to paste a JWT into an online decoder?

Why does the decoder say "signature not verified"?

What's inside a JWT?

What do iat, exp, and sub mean?

Why are my JWT claims unreadable?

How long should JWTs live?

JWT Decoder (2026)

What a JWT actually is

Decoding ≠ verifying

Standard claims you should know

Sensible token lifetimes

Ship API docs that stay this clean

Related tools

Frequently asked questions

How do I decode a JWT?

Is it safe to paste a JWT into an online decoder?

Why does the decoder say "signature not verified"?

What's inside a JWT?

What do iat, exp, and sub mean?

Why are my JWT claims unreadable?

How long should JWTs live?

JWT Decoder (2026)

What a JWT actually is

Decoding ≠ verifying

Standard claims you should know

Sensible token lifetimes

Ship API docs that stay this clean

Related tools

Frequently asked questions

How do I decode a JWT?

Is it safe to paste a JWT into an online decoder?

Why does the decoder say "signature not verified"?

What's inside a JWT?

What do iat, exp, and sub mean?

Why are my JWT claims unreadable?

How long should JWTs live?

JWT Decoder (2026)

What a JWT actually is

Decoding ≠ verifying

Standard claims you should know

Sensible token lifetimes

Ship API docs that stay this clean

Related tools

Frequently asked questions

How do I decode a JWT?

Is it safe to paste a JWT into an online decoder?

Why does the decoder say "signature not verified"?

What's inside a JWT?

What do iat, exp, and sub mean?

Why are my JWT claims unreadable?

How long should JWTs live?