JWT Decoder
Paste a JSON Web Token to instantly decode its header and payload and see when it expires. It is decode-only and runs entirely in your browser, so even production tokens stay private.
How to decode a JWT
- Paste your JWT (the header.payload.signature string).
- Read the decoded header and payload as formatted JSON.
- Check the expiry and issued-at times, shown as readable dates.
About JSON Web Tokens
A JSON Web Token (JWT) packs three base64url-encoded parts separated by dots: a header (the signing algorithm and type), a payload (the claims, such as the subject and expiry), and a signature. Decoding the first two parts reveals exactly what a token asserts, which is invaluable when debugging authentication and authorization.
This tool only decodes — it does not verify the signature, because verification requires the secret or public key that signed the token. Remember that a JWT’s payload is encoded, not encrypted: anyone holding the token can read it, so never put secrets in claims. Decoding happens locally here, so pasting a real token does not expose it to any server.
Frequently asked questions
Does this verify the signature?
No. This is a decoder, not a verifier — it reads the header and payload but does not check the signature, which would require the signing secret or public key. Never trust a token’s contents without verifying it server-side.
Is my token sent anywhere?
No. Decoding happens entirely in your browser, so your JWT is never uploaded or logged — safe for inspecting real, sensitive tokens.
Is a JWT encrypted?
No. The header and payload are base64url-encoded, not encrypted, so anyone with the token can read them. The signature only proves the token was not tampered with; it does not hide the contents.
What do exp and iat mean?
They are standard time claims: iat is when the token was issued and exp is when it expires, both as Unix timestamps. This tool shows them as readable dates and flags whether the token has expired.