JWT Token Decoder
Decode and inspect JSON Web Tokens.
Runs in your browser All processing happens locally. Your data never leaves this device.
Decoding only — the signature is not verified. Nothing is sent anywhere.
Overview
A JSON Web Token (JWT) has three Base64URL parts separated by dots:
header.payload.signature. The header and payload are JSON; the signature proves
the token was issued by a party holding the signing key. This tool decodes the
header and payload so you can inspect the claims — locally, without transmitting
the token.
How to use
- Paste a JWT.
- The decoded header and payload appear as formatted JSON.
- Time-based claims (
iat,exp,nbf) are shown as dates, with an expiry status.
Notes
- Decoding is not verification. Anyone can read a JWT’s payload; only signature verification with the correct key proves authenticity. Do not make trust decisions from decoded contents alone.
- JWT payloads are not encrypted by default — never put secrets in them.
FAQ
- Does this verify the signature?
- No. This tool only decodes the Base64URL-encoded header and payload so you can read the claims. It does not verify the signature, which would require the signing key. Never trust a token's contents based on decoding alone.
- Is my token sent to a server?
- No. Decoding happens entirely in your browser. This matters because JWTs often contain sensitive claims or are themselves credentials — pasting one into a server-side decoder could leak it.
- What do iat, exp, and nbf mean?
- They are standard registered claims — issued-at, expiration, and not-before — expressed as Unix timestamps. This tool converts them to readable dates and flags whether the token is expired.
- Is it safe to paste a real token here?
- Because decoding is local and nothing is transmitted, it is far safer than server-side tools. Still, treat production tokens as secrets and avoid pasting them into any tool you do not trust.