JWT Decoder

JWT decoder

Paste a JWT to read its header and payload as clean JSON, with expiry and timestamps decoded — all in your browser.

▌ Paste a JWT
▌ Header
▌ Payload

Decoding only — the signature is not verified. JWTs are encoded, not encrypted: never paste a token containing secrets you don't want decoded. Everything here runs in your browser.

What's inside a JWT

A JSON Web Token has three dot-separated parts: a header (the algorithm and type), a payload (the claims — who the token is about, when it was issued and when it expires), and a signature that proves it hasn't been tampered with. The header and payload are just base64url-encoded JSON, which is what this tool decodes. It also reads the standard exp, iat and nbf timestamps into readable dates.

Decoding is not verifying

This tool decodes a token; it does not verify the signature, because that requires the secret or public key held by the server that issued it. So a decoded payload tells you what a token claims, not that the claims are trustworthy. And because JWTs are encoded rather than encrypted, treat them like passwords — anyone who sees a token can read everything in it. The decoding here runs entirely in your browser, so tokens you paste are never sent anywhere.

FAQ

Does this verify the token's signature?
No. It decodes the header and payload only. Verifying the signature requires the issuer's secret or public key, which should never be exposed in a browser tool.
Is it safe to paste a token here?
The decoding happens entirely in your browser and nothing is uploaded. That said, JWTs are readable by anyone who has them, so avoid sharing tokens that are still valid.

Related tools

Base64 encode / decode
Encode and decode Base64
URL encode / decode
Percent-encode and decode URLs
Hash & UUID generator
SHA-256/512 hashes and UUIDs
Unix timestamp converter
Epoch ↔ human date, live clock