JWT Decoder
Decode a JSON Web Token's header and payload, view claims, and check expiry — privately.
Decode JSON Web Tokens instantly
The JWT Decoder takes a JSON Web Token and reveals its contents — the header, the payload, and the standard claims like issued-at and expiry — formatted for easy reading. Paste a token and it is decoded immediately, entirely in your browser. Because nothing is sent to a server, it is safe to inspect tokens that contain sensitive claims.
What is a JWT?
A JSON Web Token is a compact, URL-safe way to represent claims between two parties, widely used for authentication and authorization. It has three parts separated by dots: a header (the signing algorithm and token type), a payload (the claims, such as the user ID and expiry), and a signature (used to verify the token has not been tampered with). The header and payload are simply Base64URL-encoded JSON — which is why they can be decoded without any secret.
Common JWT claims
| Claim | Meaning |
|---|---|
| iss | Issuer — who created the token |
| sub | Subject — usually the user ID |
| aud | Audience — who the token is for |
| exp | Expiry time (Unix seconds) |
| iat | Issued-at time |
| nbf | Not-before time |
How to use it
- Paste your JWT into the box.
- Read the decoded header and payload side by side.
- Check the human-readable issued-at and expiry, including whether the token has expired.
Decoding is not verifying
This is the most important thing to understand about JWTs: decoding a token only reads its contents — it does not verify the signature. Anyone can read a JWT's payload, and anyone can craft a token with arbitrary claims. On a server, you must always verify the signature with the secret or public key before trusting any claim. This tool is for inspection and debugging, not authentication.
When this tool helps
- Debugging why an API rejects a token (often an expired
exp). - Confirming which claims and scopes a token carries.
- Checking the signing algorithm in the header.
- Learning how JWTs are structured.
Private and free
Your token is decoded entirely in your browser and never leaves your device. There is nothing to install, no sign-up, and no limits.
Frequently asked questions
Does this verify the JWT signature?
No. It only decodes the header and payload. Signature verification requires the secret or public key and must be done server-side.
Is it safe to paste my token here?
Yes. Decoding happens entirely in your browser — your token is never uploaded or stored.
Why can anyone read a JWT?
The header and payload are only Base64URL-encoded, not encrypted. Never put secrets in a JWT payload.
How do I know if a token is expired?
The tool reads the exp claim and shows the expiry time along with whether it has already passed.