My JWT shows as expired. What does that mean?

The exp claim is a Unix timestamp. If the current time is past that value, the token is expired. Re-authenticate to get a fresh token.

Free Online Tool

JWT Decoder

Decode and inspect JSON Web Tokens without any server calls

Your tokens never leave your browser — safe for production JWTs

JWT Token

Paste your JWT (header.payload.signature)

Input

What Is a JWT?

A JSON Web Token (JWT, pronounced “jot”) is a compact, URL-safe token format defined in RFC 7519. It's used to securely transmit claims between parties — most commonly for authentication and authorization in web applications. A JWT consists of three Base64url-encoded parts separated by dots: header.payload.signature.

The header specifies the algorithm (HS256, RS256, ES256) and token type. The payload contains claims — statements about the user (sub, name, email) and metadata (iat, exp, iss, aud). The signature is a cryptographic hash that verifies the token hasn't been tampered with.

Standard JWT Claims

Claim	Name	Description
iss	Issuer	Who issued the token (e.g., auth server URL)
sub	Subject	Who the token is about (usually user ID)
aud	Audience	Intended recipient(s) of the token
exp	Expiration	Unix timestamp when the token expires
iat	Issued At	Unix timestamp when the token was created
nbf	Not Before	Token is not valid before this time
jti	JWT ID	Unique identifier for the token

Important: Decoding ≠ Verification

This tool decodes JWTs — it reads the header and payload by Base64url-decoding them. It does not verify the signature, because verification requires the server's secret key (for HMAC) or public key (for RSA/ECDSA). Never trust a JWT's claims in a production system without verifying its signature server-side.

When to Use This Tool

Debugging Auth Flows

Inspect tokens from OAuth2/OIDC providers (Auth0, Okta, Firebase, Cognito) to verify claims, scopes, roles, and expiration times.

API Development

Check that your auth middleware is generating tokens with the correct claims before and after making changes.

Token Expiration Issues

Quickly check if a user's token is expired when debugging “401 Unauthorized” errors.

Security Audits

Review what information is stored in JWTs — sensitive data like emails, permissions, or PII should be minimal.

Related Tools

Base64 Encoder

Encode and decode Base64 strings

JSON Formatter

Format the decoded payload

URL Encoder

Encode tokens for URL parameters

How to Use the JWT Decoder

Get your JWT

Copy a JWT from your browser's localStorage/sessionStorage, browser dev tools (Application tab), an API response, or your auth provider's dashboard.

Paste it in

Paste the full JWT string (three dot-separated sections) into the input field. The decoder automatically handles any leading/trailing whitespace.

Decode

Click "Decode JWT". The header (algorithm, type), payload (all claims), and a summary of the signature section appear immediately.

Inspect the claims

Review the decoded output to check user ID (sub), roles/scopes, expiration time (exp), issuer (iss), and any custom claims your auth system uses.

Frequently Asked Questions

Can I verify the JWT signature here?▼

No. This tool decodes the JWT header and payload by Base64url-decoding them. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) that only your server has. Never trust JWT claims in production without server-side verification.

Is it safe to paste a production JWT here?▼

The decoding happens entirely in your browser — your token is never sent to any server. However, as a best practice, avoid pasting long-lived tokens with sensitive permissions in public environments. Short-lived access tokens are generally fine.

Why does my JWT show as expired?▼

The exp claim is a Unix timestamp (seconds since epoch). If the current time is past the exp value, the token is expired. Check whether your system clock is correct, or re-authenticate to get a fresh token.

My JWT only has two parts (header.payload). Is that normal?▼

A standard JWT has three parts (header.payload.signature). A two-part token may be an unsecured JWT (alg: none) or a different token format. Our decoder requires the standard three-part JWT structure.

What is the difference between access tokens and refresh tokens?▼

Access tokens are short-lived JWTs (typically 15 min – 1 hr) used to authenticate API requests. Refresh tokens are long-lived opaque tokens used to obtain new access tokens. Refresh tokens are usually not JWTs and cannot be decoded here.