JWT Decoder

Decode a JSON Web Token (JWT) to inspect its header, payload, and signature

How to use the JWT Decoder

To decode a JWT, paste the token into the box and the tool splits it into header and payload and pretty-prints the JSON. Expiry and issued-at claims are shown as readable dates. Decoding happens entirely in your browser, so nothing is sent to a server, and the signature is not verified.

  1. Paste your token Drop the full JWT, in the form header.payload.signature, into the input box.
  2. Read the header and payload The tool base64url-decodes each part and shows the JSON formatted for easy reading.
  3. Check the claims Expiry, issued-at, and not-before times are shown as human-readable dates with an expired indicator.
  4. Stay private Everything runs locally in your browser, so the token never leaves your device.

About JSON Web Tokens

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is made of three base64url-encoded parts separated by dots: the header, the payload, and the signature — written as header.payload.signature.

The header describes the token type and signing algorithm. The payload contains the claims (such as the subject, issued-at time, and expiration). The signature is used by the issuer to verify that the token has not been tampered with.

This decoder splits the token, base64url-decodes the header and payload, and pretty-prints them as JSON. It does not verify the signature — anyone can read a JWT, so never store secrets in the payload.

Frequently Asked Questions

A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit claims between parties. It has three base64url-encoded parts — header, payload, and signature — separated by dots, and is commonly used for authentication and authorization.

No. This is a decoder only. It displays the header, payload, and signature but does not validate the signature. Verifying a signature requires the secret or public key, which should be done server-side. Never trust a token's contents based on decoding alone.

No. Decoding runs entirely in your browser using JavaScript. Your JWT never leaves your device and is not transmitted, logged, or stored anywhere. This makes it safe to inspect sensitive tokens.

These are standard time claims expressed as Unix timestamps (seconds since 1970). "exp" is the expiration time after which the token is invalid, "iat" is when the token was issued, and "nbf" ("not before") is the earliest time the token becomes valid. This decoder converts them to readable dates and flags expired tokens.

No. A standard JWT payload is only base64url-encoded, not encrypted, so anyone who has the token can read its contents (as this tool demonstrates). Never store passwords, secrets, or private data in a JWT payload unless you are using an encrypted variant such as JWE.

Related Tools