JWT Decoder

Decode JWT (JSON Web Token) header and payload, and check expiration status.

JWT Token
Privacy and Sharing
Server processing JWT decoding sends the token to ComUtil so the server can parse claims, warnings, and share-safe outputs.
Sensitive input If the input is sensitive, start with a browser-local tool or redact first, then move into a server-handled or lookup workflow only when it is necessary.
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "user-123",
  "iat": 1700000000,
  "exp": 1700000300
}
Warnings
Token is expired.
Claim Summary
Subject user-123
Issued At (iat) 2023-11-14 22:13:20 UTC
Expires (exp) 2023-11-14 22:18:20 UTC
Token Information
Algorithm HS256
Type JWT
Subject user-123
Issued At (iat) 2023-11-14 22:13:20 UTC
Expires (exp) 2023-11-14 22:18:20 UTC EXPIRED
Signature signature
Token Segments
Header Length: 36
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload Length: 70
eyJzdWIiOiJ1c2VyLTEyMyIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAwMzAwfQ
Signature Length: 9
signature
What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs can be signed using a secret (HMAC) or a public/private key pair (RSA/ECDSA). They're commonly used for authentication and information exchange in web applications.

JWT Structure

A JWT consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). Each part is Base64Url encoded. The signature ensures the token hasn't been tampered with, but the header and payload can be decoded by anyone.

Common Use Cases
  • User authentication and authorization
  • Single Sign-On (SSO) systems
  • API authentication
  • Secure information exchange between services
  • Stateless session management
Standard Claims
iss Issuer - Who created and signed the token
sub Subject - Who the token is about (usually user ID)
aud Audience - Intended recipient of the token
exp Expiration - Unix timestamp when token expires
iat Issued At - Unix timestamp when token was created
Frequently Asked Questions

Are JWTs encrypted?

Standard JWTs (JWS) are signed but not encrypted - anyone can read the payload. For encrypted tokens, use JWE (JSON Web Encryption). Never store sensitive data in regular JWTs.

How do I invalidate a JWT?

JWTs are stateless by design and can't be directly invalidated. Common strategies include short expiration times, token blacklists, or changing the signing key (invalidates all tokens).