🔑

JWT Decoder

Decode and inspect JSON Web Tokens. View header, payload claims, and check expiry - without a secret key.

Header 

              

              

                

                  Payload
                  
                

                

              

              

                

                  Signature
                

                

                  
                  
⚠ Signature is not verified - this tool only decodes. To verify the signature, use your server-side JWT library with the appropriate secret or public key.

                

              

            


            
          

        

      


      

        

          
About JWT Decoder

          
A JSON Web Token (JWT) consists of three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims), and the signature. This tool decodes the first two parts so you can inspect the contents. The signature is shown as-is but is not verified.

          
Standard Claims Explained

          
    
            
  • sub - Subject. The entity the token refers to (usually a user ID).
    • 
            
  • iss - Issuer. Who created and signed the token.
    • 
            
  • aud - Audience. Who the token is intended for.
    • 
            
  • exp - Expiration time (Unix timestamp). The token is invalid after this time.
    • 
            
  • iat - Issued at (Unix timestamp). When the token was created.
    • 
            
  • nbf - Not before (Unix timestamp). Token is invalid before this time.
    • 
            
  • jti - JWT ID. A unique identifier for this specific token.
    • 
          

          
How to Use

        
    
          
  1. Paste a JWT token (the full string starting with "eyJ...") into the input.
    2. 
          
  2. The tool instantly decodes and displays the Header, Payload, and Signature sections.
    3. 
          
  3. Check the payload claims (sub, iat, exp, etc.) and see if the token is expired.
    4. 
          
  4. Click Copy to copy individual decoded sections.
    5. 
        


        
How It Works

        
A JWT has three Base64URL-encoded parts separated by dots. The tool splits on dots, Base64URL-decodes each part, and parses the header and payload as JSON. The exp claim is compared to the current time to show expiration status.


        
Example

        
A JWT from your API response: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwiaWF0IjoxNjAwMDAwMDAwfQ.signature

        Decodes to: Algorithm HS256, Subject "user123", Issued At the given timestamp.


          
FAQ

          

            

              
              
No. This tool only decodes the header and payload - it does not verify the signature. Verifying the signature requires the secret key (HMAC) or public key (RSA/ECDSA), which should only happen on your server. Never trust the claims in a JWT without verifying the signature server-side.

            

            

              
              
The decoding is done entirely in your browser - your JWT is never sent to any server. However, be cautious with tokens that grant sensitive access; it's best practice to only decode tokens in trusted environments.

            

            

              
              
Base64URL is a variant of Base64 that uses - instead of + and _ instead of / so the output is safe to use in URLs without percent-encoding. JWT parts are Base64URL-encoded without padding.