JWT Decoder
Paste a JSON Web Token to read its header and payload. Standard claims like expiry are shown in human-readable form.
Header
Payload
Signature is shown but not verified. Verifying requires the signing key and must be done where the key is held (typically server-side).
Signature
About JSON Web Tokens
A JWT has three Base64url-encoded parts separated by dots: header.payload.signature. The header and payload are not encrypted — they are merely encoded, so anyone can read them. The signature is what proves the token hasn't been tampered with, and verifying it requires the secret or public key.
This tool decodes the header and payload so you can inspect the claims (subject, issuer, expiry, custom fields). It deliberately does not verify the signature, because that needs the key and is a server-side responsibility.
FAQ
- Is it safe to paste a token here?
- Decoding is done locally in your browser — nothing is sent anywhere. As a habit, though, never paste live production tokens into online tools you don't fully control.
- Does this verify the signature?
- No — it only decodes. Signature verification requires the signing key and should happen server-side.
- What do iat, exp and nbf mean?
- Issued-at, expiration, and not-before — all standard claims expressed as Unix timestamps in seconds.