Question 1

Can this tool verify JWT signatures?

Accepted Answer

This tool decodes and displays the JWT structure, header, and payload claims. Signature verification requires the signing key or public certificate, which should be done server-side for security reasons. However, the tool shows the algorithm (e.g., HS256, RS256) used to sign the token.

Question 2

Is it safe to paste my JWT here?

Accepted Answer

Yes. This tool runs entirely in your browser — your token is never sent to any server. However, you should always treat JWTs as sensitive data. Avoid sharing them publicly, as the payload can be decoded by anyone (JWTs are signed, not encrypted by default).

Question 3

What's the difference between JWT encoding and encryption?

Accepted Answer

Standard JWTs (JWS) are signed but not encrypted — anyone can read the payload by Base64-decoding it. If you need payload confidentiality, use JWE (JSON Web Encryption), which encrypts the content. Most authentication systems use JWS because the goal is integrity verification, not secrecy.

Question 4

Why does my JWT show as expired?

Accepted Answer

The exp (expiration) claim contains a Unix timestamp. If the current time is past this value, the token is expired. Most JWT libraries reject expired tokens automatically. Short expiration times (15 minutes to 1 hour) are a security best practice — use refresh tokens for longer sessions.

JWT Decoder

What is a JSON Web Token (JWT)?

How to Use This JWT Decoder

Frequently Asked Questions

Related Tools