JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload claims, and check expiry β without a secret key.
Header
Payload
Signature
β Signature is not verified β this tool only decodes. To verify the signature, use your server-side JWT library with the appropriate secret or public key.
About JWT Decoder
A JSON Web Token (JWT) consists of three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims), and the signature. This tool decodes the first two parts so you can inspect the contents. The signature is shown as-is but is not verified.
Standard Claims Explained
- sub β Subject. The entity the token refers to (usually a user ID).
- iss β Issuer. Who created and signed the token.
- aud β Audience. Who the token is intended for.
- exp β Expiration time (Unix timestamp). The token is invalid after this time.
- iat β Issued at (Unix timestamp). When the token was created.
- nbf β Not before (Unix timestamp). Token is invalid before this time.
- jti β JWT ID. A unique identifier for this specific token.
FAQ
No. This tool only decodes the header and payload β it does not verify the signature. Verifying the signature requires the secret key (HMAC) or public key (RSA/ECDSA), which should only happen on your server. Never trust the claims in a JWT without verifying the signature server-side.
The decoding is done entirely in your browser β your JWT is never sent to any server. However, be cautious with tokens that grant sensitive access; it's best practice to only decode tokens in trusted environments.
Base64URL is a variant of Base64 that uses - instead of + and _ instead of / so the output is safe to use in URLs without percent-encoding. JWT parts are Base64URL-encoded without padding.