JWT Decoder
Paste any JWT to instantly decode and inspect the header, payload, and signature. Shows expiry status, algorithm, and all claims. Everything runs in your browser — your token never leaves your device.
Token structure
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjk5OTk5OTk5OTl9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
Payload
iat → 1/18/2018, 1:30:22 AM
exp → 11/20/2286, 5:46:39 PM
Signature
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
⚠ Signature verification requires the secret key and cannot be done client-side without it. This tool only decodes the token structure.
Frequently Asked Questions
What is a JWT?
A JSON Web Token is a compact, URL-safe token format for transmitting claims between parties. It has three Base64url-encoded parts: Header (algorithm), Payload (claims), and Signature (verification). Used widely for authentication.
Can this tool verify the JWT signature?
No — signature verification requires the secret key (HMAC) or public key (RSA/EC). This tool only decodes and displays the token's structure. Never trust a JWT's claims without verifying its signature server-side.
What are iat, exp, nbf claims?
iat = issued at (Unix timestamp), exp = expiration time, nbf = not before (token invalid until this time). These standard claims are automatically interpreted and shown as human-readable dates.
Is it safe to paste JWTs here?
All processing is client-side — your token never leaves your browser. However, treat JWTs like passwords in production. Use example tokens for testing, not real user tokens.