JWT Decoder
Decode JSON Web Tokens to inspect header, payload, and signature.
A JSON Web Token (JWT) is a compact, signed token of three Base64url parts — header, payload, and signature — used to carry identity and claims between services. Paste a token and this tool decodes the header and payload into readable JSON and shows the claims, including expiry status. Decoding happens in your browser, with no signature verification and no secret involved.
Frequently asked questions
What is inside a JWT?
Three parts separated by dots: a header (algorithm and type), a payload (the claims), and a signature that authenticates the first two.
Is the payload encrypted?
No. A standard JWT is only Base64url-encoded, so anyone can read its contents. Never put secrets in a JWT payload.
Does this verify the signature?
No. It decodes the token for inspection only; verifying authenticity needs the issuer’s secret or public key, which this tool doesn’t handle.
What do exp and iat mean?
exp is the expiry time and iat is when the token was issued, both as Unix timestamps. The tool flags whether the token has expired.
Is my token sent anywhere?
No. Decoding is done entirely in your browser; the token is never uploaded.