Skip to main content

JWT Decoder

Decode a JWT to read its header and payload, inspect claims and expiry.

 
  

Online JWT decoder

A JWT (JSON Web Token) has three dot-separated Base64URL parts: header, payload and signature. This JWT decoder turns the first two into readable JSON so you can inspect claims (like sub, iss, exp) and see the exp as a human-readable time — handy for debugging auth. Everything is decoded locally.

How to use

  1. Paste a full JWT into the input box.
  2. The decoded header and payload appear below in real time.
  3. Check whether exp has passed and whether the claims are correct.

Important notes

  • This decodes only — it does not verify the signature (that needs a secret key, which should never go into an online tool).
  • The payload is readable by anyone; never put secrets in it.
  • A token is like a password — be careful when sharing.

Frequently Asked Questions

Does this verify the signature?

No. It only decodes (Base64URL) and shows the header and payload — it does not verify the signature, which requires your secret key and should never be pasted into an online tool.

Is my token safe here?

Yes. Decoding happens entirely in your browser; the token is never sent to a server. Even so, treat valid production tokens with care.

Is a JWT encrypted?

No. A JWT header and payload are just Base64URL-encoded, so anyone can read them — never put secrets in the payload.