Q: Can I decode expired JWT tokens?
Yes. Decoding reveals the payload regardless of whether the token has expired. The "exp" claim is simply a timestamp stored in the payload — expiration is enforced by the server, not by the token format itself. This tool decodes the Base64url-encoded header and payload without checking validity or expiration.
Q: Does this validate JWT signatures?
No. This tool only decodes and displays the JWT header and payload. It does not verify the signature, as that would require the signing key or public key. Use server-side libraries for signature validation in production.
Q: What JWT claims are recognized?
The tool recognizes all standard registered claims including iss (Issuer), sub (Subject), aud (Audience), exp (Expiration), nbf (Not Before), iat (Issued At), and jti (JWT ID). Timestamp claims are automatically converted to human-readable dates.
Q: What algorithms are displayed in the header?
The tool displays the algorithm (alg) field from the JWT header, which typically includes HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and others as specified in the token.
Q: How can I tell if my JWT has expired?
Look for the "exp" (Expiration) claim in the decoded payload. The tool converts this timestamp to a human-readable date, so you can easily compare it to the current time to determine if the token is still valid.