JWT Decoder

Decode a JSON Web Token to read its header, payload, and claims.

100% Free No signup Works in your browser No data uploaded

Decoded entirely in your browser. A token is not verified here — decoding is not the same as validating its signature.

How to use the JWT Decoder

Step 1 — Paste the token

  • Drop in a JWT beginning with eyJ.

Step 2 — Decode

  • Press Decode to reveal the header and payload as formatted JSON.

Step 3 — Read the claims

  • Timestamps like issued-at and expiry are shown as readable dates.

Private

  • Decoding happens in your browser; nothing is uploaded.

Frequently asked questions

Does this verify the token signature?

No. It decodes and displays the contents only. Verifying the signature requires the secret or public key, which you should never paste into a website. Decoding shows what is inside; it does not prove the token is genuine.

Is it safe to paste a token here?

The decoding happens entirely in your browser and nothing is sent anywhere. Still, treat real tokens as credentials — prefer a test token, and never share a live token that grants access to your accounts.

What are iat, exp, and nbf?

They are standard time claims: iat is when the token was issued, exp when it expires, and nbf the earliest time it is valid. The tool converts these Unix timestamps to readable dates and flags an expired token.

Why is the payload readable without a password?

A JWT payload is only Base64URL-encoded, not encrypted. Anyone can read it. That is by design — the signature protects against tampering, not against reading. Never put secrets in a JWT payload.

What token types does it support?

Any standard JWT with three dot-separated parts (header, payload, signature). It decodes the JSON header and payload regardless of the signing algorithm.

Related tools

All Text & Developer →
Hash GeneratorText & Developer Base64 Encoder / DecoderConverters JSON Formatter & ValidatorText & Developer UUID GeneratorText & Developer Text Diff CheckerText & Developer Code MinifierText & Developer

About the JWT Decoder

This tool decodes a JSON Web Token so you can read what is inside it — the header, the payload, and the standard time claims — directly in your browser. It is a debugging aid for developers working with authentication and APIs.

What a JWT is

A JSON Web Token is a compact, URL-safe way to carry a set of claims between parties, used heavily for authentication and authorisation. It has three parts separated by dots: a header describing the signing algorithm, a payload of claims (who the user is, what they can do, when the token expires), and a signature. The first two parts are simply Base64URL-encoded JSON, which is why this tool can reveal them instantly. The signature is a cryptographic check that the token has not been altered.

Decoding is not verifying — an important distinction

This tool decodes; it does not verify. Reading a token tells you what it claims, but not whether those claims are trustworthy. Verification means checking the signature against the issuer secret or public key, and that must happen on your server, never in a browser tool, because it requires the key. The practical safety rule follows from this: a JWT payload is encoded, not encrypted, so anyone holding the token can read every claim in it. Never place passwords or secrets in a payload, and treat a live token as a credential — decode test tokens here, not ones that currently grant access to your real accounts.

Reading the claims

Beyond showing the raw JSON, the tool translates the standard time claims into readable dates: iat (issued at), nbf (not before), and exp (expiry), and it tells you whether an exp value is in the past so you can immediately see if a token has expired. This is often the quickest way to diagnose an authentication problem — a token that decodes fine but expired ten minutes ago explains a lot. Everything is processed locally; the token never leaves your device. To generate hashes or work with Base64, see the Hash Generator and Base64 Encoder / Decoder.

Copied to clipboard