JWT Decoder — Decode & Inspect JSON Web Tokens Online
The signature is shown but not verified — verification needs the signing key, which never leaves your server. Decoding alone does not prove a token is authentic.
Paste a JSON Web Token to instantly read its decoded header and payload. The tool splits the token into its three parts, decodes the Base64URL segments, pretty-prints the JSON, and surfaces registered claims like exp and iat with readable dates. Everything runs in your browser — your token is never sent anywhere.
How it works
- 1 Paste your token Paste the full JWT (it starts with eyJ and has two dots) into the input box. Decoding starts as you type — no button to press.
- 2 Read the header and payload The decoded header and payload appear as formatted JSON. The algorithm, token type, and expiry status are shown at the top.
- 3 Check the claims and copy Registered claims such as exp, iat, and sub are listed with human-readable dates. Use the copy buttons to grab the decoded JSON.
Your data stays private
All processing happens entirely in your browser. No files, text, or data are ever sent to our servers. You can disconnect from the internet and this tool will still work.
Frequently asked questions
- Does this tool verify the JWT signature?
- No. Decoding only reads the contents — verifying the signature requires the secret key (HMAC) or public key (RSA/ECDSA), which a client-side tool cannot safely hold. This tool shows the raw signature segment but does not check it. Always verify signatures on your server before trusting a token.
- Is my token sent to a server?
- Never. All decoding happens in JavaScript inside your browser. The token never leaves your device, so it is safe to paste tokens from staging or production while debugging.
- What do the three parts of a JWT mean?
- A JWT is header.payload.signature. The header names the signing algorithm and token type. The payload holds the claims (data) such as user ID and expiry. The signature is computed from the first two parts plus a secret and proves the token was not tampered with.
- What does the exp claim mean?
- exp is the expiry time as a Unix timestamp (seconds since 1970). If the current time is past exp, the token is expired and most servers will reject it. This tool compares exp to your device clock and shows an Expired or Not expired badge.
- Why is the payload not encrypted?
- A standard JWT is signed, not encrypted. The header and payload are only Base64URL-encoded, so anyone with the token can read them. Never put passwords or secrets in a JWT payload — treat it as readable by anyone who holds the token.
- What is Base64URL and why not plain Base64?
- Base64URL is a Base64 variant that replaces + and / with - and _ and drops the padding, so the result is safe to use in URLs and HTTP headers. JWTs use it for all three segments, which is why pasting a segment into a plain Base64 decoder often fails.