loot.tools

JWT Encoder/Decoder

Decode JWT headers and payloads or build a token from parts. Reads the iat, nbf, and exp time claims into readable dates and flags whether the token is valid or expired. Useful for debugging auth flows.

Paste a JWT to decode it, or edit header/payload/signature and build a new token. Values are not verified cryptographically.

Token
Parts

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It has three Base64-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID, expiration time, and roles), and a signature. JWTs are stateless, meaning the server doesn't need to store session data - the token itself carries all the information.

How to use this tool

Paste a JWT to decode its header and payload instantly. The tool shows each part in formatted JSON, and when the payload carries the standard time claims it reads iat, nbf, and exp into readable dates and tells you whether the token is still valid or already expired. You can also build a JWT by entering header and payload values. Note: signature verification requires the secret key, which this tool intentionally doesn't store.

Common JWT claims

iss (issuer) identifies who created the token. sub (subject) is usually the user ID. exp (expiration) is a Unix timestamp for when the token expires. iat (issued at) is when the token was created. aud (audience) specifies the intended recipient. Custom claims can include anything your application needs, like roles or permissions.