Decode and inspect JWT tokens. View header, payload, claims, and expiry status. No data is sent to any server.
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit claims between parties. JWTs are the backbone of modern authentication — used in OAuth 2.0, OpenID Connect, and API key systems. Every JWT consists of three Base64URL-encoded parts separated by dots: the Header, the Payload, and the Signature.
Header (algorithm + type) → Payload (claims: sub, iat, exp, roles) → Signature (HMAC or RSA of header.payload using a secret key). Decode the first two parts to inspect claims; verify the signature server-side with the secret.
The exp (expiration) claim is a Unix timestamp. Tokens past this time must be rejected. The Dev Cosmos tool shows a live expiry progress bar and flags expired tokens in red.
Standard claims defined by RFC 7519: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued-at). Custom claims can be added for roles, permissions, and user metadata.
JWTs are encoded, not encrypted — anyone with the token can read the payload. Never store sensitive data (passwords, PII) in JWT claims unless you use JWE (JSON Web Encryption). Always verify the signature server-side before trusting claims.