JWT Decoder — Inspect Header, Payload & Expiry | Tinker

JWT Decoder — Inspect Header, Payload & Expiry | Tinker

JWT Token

Paste a JWT token above to decode it

⚠️ Decoding only — no signature verification. Never share tokens containing sensitive data.

Understanding JWT Structure

A JSON Web Token (JWT) is a compact, URL-safe string made up of three Base64url-encoded parts separated by dots: header.payload.signature. The header and payload are readable by anyone — the signature is what makes them tamper-evident.

Part	Content	Example values
Header (orange)	Algorithm & token type	`alg: HS256, typ: JWT`
Payload (purple)	Claims — user data & metadata	`sub, iat, exp, roles`
Signature (green)	HMAC or RSA of header + payload	Opaque bytes, base64url-encoded

Standard claim reference

Claim	Full name	Type	Meaning
`iss`	Issuer	string	Who issued the token (e.g. your auth server URL)
`sub`	Subject	string	Who the token represents (usually a user ID)
`aud`	Audience	string/array	Who the token is intended for
`exp`	Expiration	Unix timestamp	Token must be rejected after this time
`nbf`	Not Before	Unix timestamp	Token must be rejected before this time
`iat`	Issued At	Unix timestamp	When the token was created
`jti`	JWT ID	string	Unique identifier — used to prevent replay attacks

Security notes

This tool only decodes — it does not verify the signature. A decoded JWT should never be trusted without server-side signature validation.
Never put secrets (passwords, private keys, SSNs) in a JWT payload — the payload is readable by anyone with the token.
Always validate exp and iss on the server. Client-side expiry checks are informational only.

© 2026, Tinker - tools · calculators · practice games