JWT Decoder

JSON Web Tokens (JWTs) are the standard mechanism for stateless authentication in modern web applications. When you log into a service that uses JWT-based auth, the server issues a token that encodes your identity and permissions in a self-contained, cryptographically signed package. Your browser sends this token in the `Authorization: Bearer <token>` header on subsequent requests, and the server can verify your identity without consulting a database.

A JWT consists of three Base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims — user ID, expiry time, roles, etc.), and the signature (a cryptographic hash that proves the token wasn't tampered with). The header and payload are just encoded — not encrypted — so their contents are visible to anyone who holds the token. This is by design: the secrecy of the payload is not the point; the integrity guarantee (signature verification) is.

This is why it's safe and useful to decode a JWT without the signing secret: you're simply reading the un-encrypted claims. The signature verification step requires the secret or public key and is only necessary if you need to confirm the token is genuine. Common claims you'll see in JWTs include `sub` (subject/user ID), `iat` (issued at — Unix timestamp), `exp` (expiry — Unix timestamp), `aud` (audience), `iss` (issuer), and application-specific claims like `role` or `email`.

This decoder shows you all three parts formatted for readability, the expiry time as a human-readable date, and a warning if the token has already expired.