JWT Decoder

Decode a JSON Web Token's header and payload instantly, right in your browser.

Advertisement

Your ad could be here

Contact us

This free JWT decoder lets you inspect the contents of a JSON Web Token instantly. Paste a token and it splits it into its three parts — header, payload and signature — decoding the header and payload from base64url into readable JSON, and automatically converting common date claims like exp, iat and nbf into human-readable timestamps.

This tool only decodes the token; it does not verify the signature, since that would require the secret key or public key used to sign it, which this tool never has access to. Decoding happens entirely in your browser using JavaScript — the token you paste is never transmitted anywhere, making it safe to inspect tokens containing sensitive claims during development or debugging.

Advertisement

Your ad could be here

Contact us

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe format for representing claims to be transferred between two parties, commonly used for authentication and authorization in web applications and APIs.

What are the three parts of a JWT?

A JWT consists of a header (describing the token type and signing algorithm), a payload (the claims or data), and a signature, separated by dots and each encoded in base64url.

Does this tool verify the JWT signature?

No. Verifying a signature requires the secret or public key that was used to sign the token, which this tool does not have and never requests. It only decodes the header and payload so you can read their contents.

Is it safe to paste a JWT into this tool?

Yes, in the sense that the token is never sent to any server — all decoding happens locally in your browser using JavaScript. However, treat tokens as sensitive data in general, since anyone with a valid, unexpired token can potentially use it.

What is the "exp" claim?

"exp" (expiration time) is a standard JWT claim indicating the Unix timestamp after which the token is no longer valid. This tool automatically converts it to a readable date for convenience.

What is the "iat" claim?

"iat" (issued at) records the Unix timestamp when the token was created, useful for determining a token's age.

Can a decoded JWT be trusted without verification?

No. Anyone can decode a JWT's payload since it is only base64url-encoded, not encrypted. Trusting the claims requires cryptographically verifying the signature against the correct key on the server side.

Why does my token show an error when decoding?

A JWT must have exactly three dot-separated segments, each valid base64url. If a token is truncated, has extra whitespace, or is not actually a JWT, decoding will fail.

What algorithm does the header describe?

The header typically contains an "alg" field describing the signing algorithm (such as HS256 or RS256) and a "typ" field, usually set to "JWT".

Can I use this to debug my own application's tokens?

Yes, this is one of the most common uses — quickly inspecting the claims inside a token your application issued or received, without needing to write custom decoding code.