Why does it say signature not verified?

JWT signature verification requires the secret key. This tool is a decoder only — it shows you the token contents without verifying them. For security-critical applications, always verify tokens server-side with the proper secret.

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data exchange. It consists of three Base64-encoded parts: a header (algorithm and type), a payload (claims/data), and a signature.

JWT Decoder — Decode JSON Web Tokens Online

JWT token

About the JWT Decoder

JSON Web Tokens (JWTs) are the standard authentication token format used by most modern web APIs. They encode three pieces of information: the header (algorithm used to sign), the payload (claims — user ID, roles, expiry etc.), and the signature (used to verify authenticity).

What this tool does

It Base64-decodes the header and payload and displays them as readable JSON. If the payload contains an exp claim, it shows the expiry date/time and whether the token is currently valid or expired.

Security note

This tool does not verify the signature — that requires the secret key, which should never leave your server. The tool is decode-only and sends no data anywhere.

JWT structure explained

A JWT consists of three Base64URL-encoded sections separated by dots: header.payload.signature. The header identifies the algorithm (typically RS256 or HS256). The payload contains claims: registered claims like iss (issuer), exp (expiry), sub (subject), and iat (issued at), plus any custom claims. The signature is created by hashing the header and payload with a secret or private key.

iss (issuer) — who created the token (e.g. your auth server URL)
sub (subject) — who the token is about (usually user ID)
exp (expiry) — Unix timestamp after which the token is invalid
iat (issued at) — Unix timestamp when the token was created
Custom claims — roles, permissions, tenant ID, or any application-specific data

Frequently Asked Questions

Is this safe to use with real tokens?

The tool is decode-only and runs entirely in your browser. No data is sent anywhere. Still, avoid pasting tokens that grant access to live production systems.

Why is the signature not verified?

Verification requires the secret key. This is a decoder only. Always verify tokens server-side with the proper secret in production.

What is a JWT?

A JSON Web Token — compact Base64-encoded format for authentication. Three parts: header, payload (claims), and signature.

How do I validate a JWT signature?

Decoding a JWT (reading its claims) requires no key. Verifying the signature requires the secret (HMAC algorithms like HS256) or the public key (RSA/ECDSA algorithms like RS256). This tool decodes the payload without verification — for signature validation use a JWT library in your application code.

What does "exp" mean in a JWT and how do I check expiry?

The "exp" (expiration) claim is a Unix timestamp after which the token is invalid. To check: compare exp to the current Unix timestamp. In JavaScript: const isExpired = Date.now() / 1000 > decodedPayload.exp. Many APIs return 401 Unauthorized when receiving an expired JWT.