What are exp, iat, and nbf claims?

Registered claims from RFC 7519: exp = expiration time (token invalid after this), iat = issued at (creation time), nbf = not before (token invalid before this). All are Unix timestamps (seconds).

JWT Decoder — Inspect JSON Web Tokens in the Browser

How the JWT Decoder Works

A JWT consists of three Base64URL-encoded segments separated by dots: header, payload, and signature. This tool splits the token on the dots, Base64URL-decodes each segment using TextDecoder for full UTF-8 correctness, and renders the parsed JSON. The algorithm (alg) and type (typ) from the header are displayed as badges. Standard registered claims (iss, sub, aud, exp, iat, nbf) are decoded with human-readable timestamps.

The optional HS256 signature verification uses the Web Crypto API (HMAC-SHA256) entirely in the browser. Enable it, enter your HMAC secret, and the tool verifies whether the signature matches. No data ever leaves your browser.

References

The JWT structure is defined in RFC 7519 — JSON Web Token (JWT) (rfc-editor.org/rfc/rfc7519). This RFC specifies the three-part structure, registered claim names (iss, sub, aud, exp, nbf, iat, jti), and the Base64URL encoding.

Signing algorithms (HS256, RS256, ES256, etc.) are defined in RFC 7518 — JSON Web Algorithms (JWA) (rfc-editor.org/rfc/rfc7518). This tool only verifies HS256 (HMAC-SHA256) in v1.

What's here — and what's not

Full JWT decoding: header (alg, typ), payload with all custom claims, signature display. Standard claims (exp, iat, nbf) rendered as human-readable ISO timestamps with relative time (e.g. 'expired 3 days ago'). Optional HS256 signature verification via Web Crypto. Security notice reminding you not to paste production tokens.

What isn't here: JWE (JSON Web Encryption) decryption — encrypted tokens require a private key and are fundamentally different from signed JWTs. RS256, ES256, PS256 signature verification — asymmetric algorithms require the public key in PEM or JWK format, which is v2. Token generation or signing is also not supported — this is a decoder and inspector, not an auth tool.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT, pronounced 'jot') is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts: a header (algorithm and type), a payload (claims about the subject), and a signature. JWTs are commonly used in authentication (bearer tokens), authorization, and information exchange between services.

Is it safe to paste my JWT here?

This tool decodes entirely in your browser — no data is sent to any server. However, you should still never paste production JWTs containing live session credentials or sensitive user data into any online tool. Use dev/test tokens here. If a production token is accidentally pasted, revoke it immediately.

What are the exp, iat, and nbf claims?

These are registered claim names defined in RFC 7519: exp (expiration time) — the token must not be accepted after this Unix timestamp. iat (issued at) — when the token was created. nbf (not before) — the token must not be accepted before this timestamp. All three are NumericDate values (Unix seconds).

What is the difference between HS256 and RS256?

HS256 (HMAC-SHA256) is a symmetric algorithm — the same secret key is used to both sign and verify the token. RS256 (RSA-SHA256) is asymmetric — a private key signs the token and a public key verifies it. RS256 is preferred in distributed systems because the verifying party never needs the private key. This tool supports HS256 verification only.

Where is the JWT specification documented?

The JWT specification is RFC 7519, published by the IETF in May 2015, available at rfc-editor.org/rfc/rfc7519. Signing algorithms are defined in RFC 7518 (JWA). The full family of standards is called JOSE (JSON Object Signing and Encryption) and includes RFC 7515 (JWS), RFC 7516 (JWE), RFC 7517 (JWK), and RFC 7518 (JWA).