Skip to main content
Ink·tab

Header · payload · signature

Paste a JSON Web Token and see the claims unpacked at a glance.

Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "Alice",
  "role": "admin",
  "iat": 1730000000,
  "exp": 2000000000
}
Standard claims
Expires (exp)
2033-05-18 03:33:20 UTCExpires in 6y
Issued (iat)
2024-10-27 03:33:20 UTCIssued 1y ago
Signature · Raw (Base64URL)
K4kQ0QvLq8o3Rj8f3bz8d8n9Y1T1zq5b3ZcCq7GJp2k

Signatures can't be verified without the key. Only the raw bytes are shown here.

Everything happens in your browser. Nothing is uploaded.

When to use it

Inspect a JWT that an API returned: who is signed in, when it expires, what scopes are attached. Handy for making sense of a token pasted in a bug report or server log.

How it works

Paste the token in the input. The three segments (header · payload · signature) are unpacked below. Time claims like exp, iat, and nbf are rendered as readable dates; an expired exp gets an "Expired" label.

Signatures are not verified

Verifying a JWT needs either the shared secret (HS256) or the issuer's public key (RS256/ES256). Handling a secret in the browser is a bad default, so this tool only shows the raw base64url signature. To actually trust a token, verify with a server-side library (jsonwebtoken, jose, …).

No external verification calls

Header · payload · signature are *parsed only*, never verified — there is no external call. Works even when corporate networks block sites like jwt.io.

Frequently asked questions

Is it safe to paste my token here?
Yes. All decoding happens in this page's JavaScript with no outbound network requests. That said, follow your company's policy for production tokens — screenshots and clipboard managers can still leak them.
Can you verify the signature?
No. Signature verification requires the shared secret (HS256) or the issuer's public key (RS256/ES256). Handling secrets in the browser is a bad default. This tool unpacks header and payload and shows the raw signature only. Verify on the server side with `jsonwebtoken`, `jose`, or similar.
What does the 'exp' claim mean?
Expiration time — the Unix epoch second after which the token is invalid. This tool converts it to a readable date and adds an "Expired" label if it's in the past. Related: `iat` = issued at, `nbf` = not before.
Why is my JWT showing as expired?
The `exp` claim is in the past — the issuer-defined validity window has elapsed. Use your refresh token (or re-authenticate) to obtain a new JWT.
What's the difference between HS256 and RS256?
HS256 (HMAC + SHA-256) is symmetric — issuer and verifier share the same secret key. Best for single-system internal use. RS256 (RSA + SHA-256) is asymmetric — issuer signs with a private key, anyone verifies with the public key. Standard for OAuth / OpenID Connect.