What is the 'exp' claim in a JWT?

The 'exp' (Expiration Time) claim is a Unix timestamp after which the token must not be accepted. The tool shows the expiration status in real time and calculates the remaining time.

Can I create a JWT with this tool?

Yes. The Build tab lets you create signed HS256/HS384/HS512 JWTs. For RS/ES algorithms, an unsigned token is generated (signing requires a private key not available in the browser).

Are my JWT tokens secure?

Yes. All decoding and verification runs in your browser via JavaScript and SubtleCrypto. No token, secret, or key is ever transmitted to a server.

Flowfiles ← All tools

JWT Decoder Online

Decode · Verify · Build — HS256 · RS256 · ES256 · Claims · Expiration — 100% local, no upload

Paste any JWT token to instantly decode its header, payload, and claims. Verify HMAC signatures with your secret, or RS256/ES256 with a PEM public key. Test expiration, travel through time, and build your own signed tokens.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) defining a compact, self-contained way to transmit information between parties as a signed JSON object. A JWT consists of three Base64URL-encoded parts separated by dots:

Header: signing algorithm (alg) and token type (typ).
Payload: claims — data about the user and metadata (sub, iss, exp, iat…).
Signature: ensures the token has not been tampered with. Computed over the header and payload using a secret or key pair.

Features

Instant JWT decode (header + payload)
HMAC signature verify (HS256/384/512)
RSA signature verify (RS256/384/512)
RSA-PSS verify (PS256/384/512)
ECDSA verify (ES256/384/512)
Base64 or plain-text HMAC secret
PEM public key (SPKI format)
exp / nbf / iat claim inspection
Real-time expiration status
Time travel (test at any date)
JSON syntax highlighting
JWT builder with HS* signing
Quick-add standard claims
Copy header / payload / raw JWT
Export decoded JSON
100% local — no token sent

Frequently asked questions

How do I decode a JWT token?

Paste your JWT into the input field. The tool automatically splits the three dot-separated parts and displays the header and payload as indented, syntax-highlighted JSON. Decoding is instant and runs entirely in your browser.

How do I verify an HS256 JWT signature?

Click Advanced options and enter your HMAC secret. If your secret is Base64-encoded, tick the checkbox. The tool uses the browser's SubtleCrypto API to verify the HMAC-SHA256 signature and shows ✓ Valid signature or ✗ Invalid signature.

How does time travel work?

In Advanced options, pick a date and time. The tool recalculates the exp and nbf status against that date, letting you simulate whether the token would be valid at any point in time — useful for debugging expiration issues.

Can I verify RS256 JWTs in the browser?

Yes. Paste the RSA public key in PEM (SPKI) format into the dedicated field. The SubtleCrypto API imports the key and verifies the RSA-PKCS#1-v1_5 or RSA-PSS signature directly in the browser, with no network requests.

Are my JWT tokens private?

Absolutely. No data is sent to any server. Decoding, signature verification, and token building all run in JavaScript in your browser.

Related tools

JWT Decoder Verify JWT Signature JWT OAuth 2.0 JWT Expiration JWT No Upload Base64 Encoder UUID Generator JSON ↔ CSV