What is the 'exp' claim in a JWT?

The 'exp' (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. It is a NumericDate value.

Is JWT payload data encrypted?

No, standard JWT payloads are only Base64Url encoded, not encrypted. Anyone who has the token can decode it to view your data, so never store sensitive secrets in a JWT.

JWT Decoder – Decode JSON Web Tokens Online | ToolTree

Decode JWT header, payload, and signature instantly for free. ToolTree provides a secure, client-side JWT decoder for developers and security engineers.

JWT Decoder

Safely decode and inspect JSON Web Tokens (JWT). View the cryptographic header, claims payload, and signature format instantly. All decoding happens entirely in your browser.

Encoded JWT Token

Found this tool useful?

ToolTree is built and maintained independently. Support helps keep these tools free and improve new developer utilities.
If ToolTree saved you time today, consider supporting the project.

🌱 Support ToolTree

How to use JWT Decoder?

To decode a JSON Web Token, paste your encoded string into the input box above. A standard JWT has three parts separated by dots (Header.Payload.Signature). Our tool will automatically split these and decode the Base64Url strings into human-readable JSON objects.

Security & Privacy

Because JWTs often contain sensitive user data or authentication claims, we ensure all decoding happens entirely on your device. No data is ever transmitted to our servers, keeping your tokens safe and private.

Deep-Dive: JWT Structure Example

1. Raw Input (Encoded)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MzU2ODk2MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Notice the three distinct color-coded sections separated by dots.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Defines the hashing algorithm (HMAC SHA256) and the media type of the token.

Payload

{
  "sub": "123456",
  "name": "John Doe",
  "admin": true,
  "exp": 1735689600
}

Contains 'claims' or data about the user (subject, name, roles, expiry).

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36...

Created by signing the encoded header+payload using a secret key to ensure integrity.

Frequently Asked Questions

Can it verify the signature?

Currently, this tool is for decoding and inspecting content (Header/Payload). Verifying signatures requires the secret key or public certificate used to sign the token.

What is the 'exp' (Expiration) claim?

The exp claim provides the timestamp after which the token is considered invalid. Our decoder helps you read this value in human-readable terms by viewing the Payload JSON.

Can I edit and re-sign a JWT?

You can decode any JWT, but you cannot modify the payload and expect it to remain valid unless you have the original private key or secret to re-calculate the signature.

Is JWT Payload encrypted?

No. JWT is encoded using Base64Url, not encrypted. Any user who captures the token can read the payload data easily. Always use HTTPS and never store highly sensitive secrets like passwords in the payload.

What is Base64Url encoding?

It's a variant of Base64 that replaces + with - and / with _, making it safe for use in URLs and filenames.