JWT Decoder
Decode and inspect JSON Web Tokens instantly. View header, payload, and expiration. All decoding happens in your browser.
JWT Structure
A JWT has three Base64URL-encoded parts separated by dots: Header (algorithm & type), Payload (claims), and Signature.
Standard Claims
sub— Subject (user ID)iat— Issued at (Unix timestamp)exp— Expiration (Unix timestamp)iss— Issuer
Security Note
This tool decodes JWTs but does NOT verify the signature. Never trust a decoded JWT without server-side verification. Avoid pasting real production tokens into third-party web tools — this tool processes everything locally in your browser.
How to Decode a JWT Token Online
- 1. Paste your JWT token into the input field — it should look like three Base64URL parts separated by dots.
- 2. The Header, Payload, and Signature are decoded and displayed automatically.
- 3. Check the expiration banner to see whether the token is valid or expired.
- 4. Click Copy next to any section to copy the JSON.
Frequently Asked Questions
What is a JWT?
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It has three parts: a Header (algorithm and type), a Payload (claims/data), and a Signature for verification.
What does "decoding" a JWT mean?
Decoding a JWT means reading the Header and Payload by Base64URL-decoding them. This reveals the token's contents but does NOT verify its authenticity. Verification requires the secret key or public key used to sign the token.
Why does this tool say "not verified"?
Signature verification requires the secret key or RSA/EC public key that was used to sign the token. This client-side tool only decodes — it cannot verify signatures without the key. Always verify JWTs server-side.
Is it safe to paste my JWT here?
This tool processes your JWT entirely in your browser — nothing is sent to any server. However, as a best practice, avoid pasting real production JWTs from live systems into any web tool. Use your staging/test tokens for inspection.