JWT Decoder
Decode and inspect JWT headers, payloads, and signatures.
Examples
| Input | Result |
|---|---|
| eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c | Header: {"alg":"HS256","typ":"JWT"} | Payload: {"sub":"1234567890","name":"John Doe","iat":1516239022} |
| eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoLmV4YW1wbGUuY29tIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature | Header: {"alg":"RS256","typ":"JWT"} | Payload: {"iss":"auth.example.com","exp":1700000000} |
| eyJhbGciOiJFUzI1NiJ9.eyJyb2xlIjoiYWRtaW4iLCJ1aWQiOiI0MiJ9.signature | Header: {"alg":"ES256"} | Payload: {"role":"admin","uid":"42"} |
About this tool
A JSON Web Token (JWT) is made up of three Base64url-encoded parts separated by dots: a header, a payload, and a signature. The header specifies the signing algorithm (like HS256 or RS256), the payload contains the claims (user data, expiration time, issuer), and the signature ties it all together. You can decode the first two parts without any secret key since they are just Base64-encoded JSON.
This decoder splits the token on the dot separators, Base64url-decodes each part, and pretty-prints the resulting JSON. It also detects standard timestamp claims like exp, iat, and nbf, converting them from Unix timestamps to readable dates. This is useful for debugging authentication flows, checking token expiration during development, or inspecting tokens from third-party APIs. Remember that decoding is not the same as verification. Always verify signatures on the server side.
Frequently asked questions
Can this tool verify JWT signatures?
No. This tool only decodes and displays the header and payload. Signature verification requires the signing key or public key, which is a server-side operation. Treat decoded data as unverified.
What do the "iat", "exp", and "nbf" fields mean in a JWT?
"iat" is the issued-at timestamp, "exp" is the expiration time, and "nbf" means not-before. All three are Unix timestamps in seconds. This tool converts them to human-readable dates so you can check if a token is expired.
Is it safe to paste my JWT into a browser-based decoder?
This tool runs entirely in your browser and never sends your token to a server. That said, JWTs often contain user IDs and permissions, so avoid pasting production tokens into online tools that make network requests.