Home › JWT Decoder

JWT Decoder

Paste a JSON Web Token below to decode its header and payload. Everything runs locally in your browser — your token is never uploaded.

Advertisement

🔒 This tool only decodes a token — it does not verify the signature. Decoding happens entirely in your browser; nothing is sent to a server. Never paste a production token you would not want exposed.

Header

Payload


      
Readable Claims

      

    


    

      
What is a JWT?

      
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three parts separated by dots: a header, a payload, and a signature — written as xxxxx.yyyyy.zzzzz. The header and payload are Base64URL-encoded JSON, so they can be read by anyone; the signature is used to confirm the token has not been tampered with. JWTs are commonly used for authentication and for passing information securely in APIs.

      
How to use it

      
1. Paste your JWT into the box above. 2. Click Decode to split the token and Base64URL-decode the header and payload into readable JSON. 3. Review the Header and Payload blocks; if the payload contains exp, iat, or nbf claims, their human-readable dates appear under Readable Claims.

      
Does this verify the signature?

      
No. This is a decoder only — it reads what is inside the header and payload but does not validate the signature, and it cannot tell you whether a token is authentic or has expired in a trusted way. Verifying a JWT requires the signing secret or public key on a server. Because the payload is only encoded (not encrypted), treat any decoded token as readable by anyone and avoid pasting sensitive production tokens.