JWT Decoder
Paste a JSON Web Token to inspect its header, payload and signature. Expiry and issued-at times are decoded for you, and nothing ever leaves your browser.
Decoded only — the signature is not verified.
Header
Payload
Signature
What a JWT contains
A JSON Web Token packs three pieces into one dot-separated string. The
header names the signing algorithm (like HS256
or RS256) and the token type. The payload
carries the claims — who the token is about, who issued it, when it
expires, and any custom data. The signature is computed
from the first two parts and a key, so a server can detect tampering.
How to use it
- Paste your token. Drop the whole JWT into the box —
leave out any
Bearerprefix or surrounding quotes. - Read the parts. The header and payload are decoded to formatted JSON the moment you paste.
- Check the times. Standard claims like
expandiatare shown as readable dates, with an expired or valid badge.
Decoding is not verifying
Anyone can decode a JWT — the payload is just base64, not encryption. That's why this tool deliberately stops at decoding. Confirming a token is genuine means recomputing its signature with the secret or public key that signed it, which only the issuing system should hold. Treat decoded contents as untrusted until your backend has verified the signature.
Frequently asked questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three base64url-encoded parts separated by dots: a header (the signing algorithm and type), a payload (the claims), and a signature that lets the recipient verify the token wasn't tampered with.
Does this verify the signature?
No. This tool only decodes the token so you can read what's inside it. Verifying the signature requires the secret or public key that signed the token, and decoding alone is not a security check — never trust a token's contents without verifying it server-side.
Is my token sent anywhere?
No. Decoding happens entirely in your browser with JavaScript. The token you paste is never uploaded, logged or stored, so it's safe to inspect tokens locally.
What do exp, iat and nbf mean?
They are standard time claims expressed as Unix timestamps. exp is the expiry time (the token is invalid after it), iat is when the token was issued, and nbf is the earliest time the token may be used. This tool converts each to a readable local date.
Why does decoding fail?
Decoding fails if the input isn't three dot-separated parts, or if the header or payload isn't valid base64url-encoded JSON. Make sure you pasted the whole token and didn't include surrounding quotes or the 'Bearer ' prefix.