About the JWT Decoder
A JSON Web Token (JWT) is a compact, URL-safe token used for authentication and information exchange between services. It has three Base64URL-encoded parts separated by dots: the header, the payload (claims), and the signature. While the token looks opaque, the header and payload are only encoded — not encrypted — so they can be decoded and read by anyone.
This JWT decoder splits a token and decodes the header and payload into readable JSON so you can inspect claims like the subject, issuer, expiry, and any custom data. Decoding happens entirely in your browser, so your tokens never leave your device.
Features
- Decode the header and payload of any JWT instantly
- See standard claims like sub, iss, exp, and iat in readable JSON
- Shows whether the token is expired based on its exp claim
- 100% client-side — tokens are never transmitted
How to use
- Paste your JWT (it starts with 'eyJ…') into the input box.
- The header and payload are decoded automatically.
- Review the claims, including any expiry time.
Frequently asked questions
Does this verify the JWT signature?
No. This tool only decodes the token to show its contents. Verifying the signature requires the secret or public key and should be done on your server — never paste production secrets anywhere.
Is it safe to decode my token here?
Decoding runs locally in your browser and nothing is uploaded. Still, treat JWTs like passwords and avoid pasting live production tokens into any online tool.