Paste your JWT token
Header
Payload Claims
Signature (not verified)
—
What This Tool Does
The JWT Decoder parses JSON Web Tokens and displays the header and payload in a human-readable table. It highlights timestamp claims (exp, iat, nbf) with readable dates and shows whether the token has expired. The signature section is displayed as-is — verification is not performed since that requires the secret key.
Decoding runs entirely in your browser. Your JWT is never transmitted to our servers.
How to Use
Paste your JWT token into the input box — it decodes automatically. Click Sample to try an example token. The header, payload claims, and signature are shown in separate panels below.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. It consists of three Base64URL-encoded parts separated by dots: a Header (algorithm & token type), a Payload (claims/data), and a Signature.
Is it safe to paste my JWT here?
Decoding runs entirely in your browser — nothing is sent to our servers. That said, JWTs may contain sensitive user data, so exercise the same caution you would with any tool. For production debugging, prefer local tooling.
Does this tool verify the JWT signature?
No. Signature verification requires the secret key or public key, which you should never share with a third-party tool. This tool only decodes the header and payload, which are Base64URL-encoded (not encrypted) — the signature is shown as-is.
What does "Token Expired" mean?
The payload's "exp" (expiration) claim is a Unix timestamp. If that timestamp is in the past, the token has expired and would be rejected by any server performing proper validation.
What are common JWT claims?
Standard claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Custom claims can include any application-specific data.