JWT Decoder
Decode a JWT's header and payload and read its claims — entirely in your browser.
The signature is shown but not verified — decoding happens entirely in your browser.
How to use the JWT Decoder
-
Paste your JWT into the input.
-
Read the decoded header and payload.
-
Check the registered claims and expiry.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token with three Base64url parts — header, payload and signature — used for authentication and authorisation. This decoder reveals the header and payload and translates timestamp claims (exp, iat, nbf) into readable dates. Decoding is local and does not verify the signature, so it's safe for inspecting tokens without exposing secrets.
Key features
- Decodes header and payload instantly
- Human-readable exp, iat and nbf timestamps
- Flags expired tokens
- Fully client-side — tokens are never uploaded
Frequently asked questions
Does this verify the JWT signature?
No. It decodes the token for inspection but does not validate the signature, which requires the signing secret or key.
Is it safe to paste a real token?
Decoding happens entirely in your browser and nothing is sent anywhere — but treat live tokens as sensitive regardless.
What do exp and iat mean?
exp is the expiry time and iat is when the token was issued, both as Unix timestamps we convert to readable dates.