JWT Decoder (Decode JSON Web Tokens)
A JWT decoder reads the contents of a JSON Web Token so you can see the claims it carries, without changing the token or contacting any server. A JSON Web Token is a compact, signed string used to pass identity and permission data between a client and a server. The decoder below splits the token, base64url-decodes its header and payload, and shows them as readable JSON entirely inside your browser.
What a JWT Is
A JSON Web Token is a string in three parts joined by dots: header.payload.signature. The header says which algorithm signed the token and what type it is. The payload holds the claims, which are the pieces of data the token asserts, such as who the user is and when the token expires. The signature is computed from the header and payload using a secret or a private key, and it lets the server confirm the token was issued by a party it trusts and has not been altered. The header and payload are base64url-encoded, not encrypted, which is why a decoder can read them.
How to Use It
- Copy the token you want to inspect. It looks like a long string with two dots in it.
- Paste it into the box above. The decoder runs as you type.
- Read the Header to see the signing algorithm and token type.
- Read the Payload to see the claims, such as the subject, issuer, and expiry.
- Check the time claims below the payload, where the tool converts exp, iat, and nbf into readable dates.
The Three Parts of a JWT
| Part | What it holds | Readable by this tool |
|---|---|---|
| Header | Signing algorithm (alg) and token type (typ) | Yes, decoded and shown as JSON |
| Payload | Claims, such as sub, iss, exp, and iat | Yes, decoded and shown as JSON |
| Signature | A hash of the header and payload, signed with a secret or key | No, it is not decoded and not verified |
Common Claims Explained
The payload uses short, standard claim names so any service can read them the same way. The issuer claim, iss, names the party that created the token. The subject claim, sub, identifies who the token is about, usually a user ID. The expiry claim, exp, is a Unix timestamp in seconds after which the token should be rejected. The issued-at claim, iat, records when the token was created, also in Unix seconds. You will often see nbf, a not-before time, and aud, the intended audience. Because exp, iat, and nbf are raw second counts, the decoder above converts them into dates so you can tell at a glance whether a token is current.
When to Use It
Decode a JWT when you are debugging a login flow and need to confirm which claims a token carries, when an API returns an authorization error and you want to check whether the token has expired, or when you are learning how tokens are structured. Pair it with the Base64 encoder and decoder if you want to inspect an individual segment by hand, and with the JSON formatter to tidy a payload you have copied out.
Privacy
The token never leaves your device. All splitting, base64url decoding, and JSON parsing happen in your browser using built-in functions, so the tool works with no network connection and stores nothing. That makes it safe to inspect a token without the risk of it being logged on a server you do not control.
Last Thoughts on Decoding JSON Web Tokens
A JWT is only base64url-encoded, not encrypted, so anyone holding the token can read its claims. That is by design: the protection comes from the signature, not from hiding the contents. A decoder simply makes those readable claims visible to you, which is exactly what you need when you are checking an expiry, confirming a subject, or learning the format.
Use the decoder above to inspect your next token, and remember that what it shows is the token’s claims, not a guarantee they are valid. For related work, see the Base64 encoder and decoder, the JSON formatter, and the URL encoder and decoder, or browse the rest of our free online tools.
Key Takeaways:
- A JWT has three dot-separated parts: header, payload, and signature.
- The header and payload are base64url-encoded JSON, so a decoder can read them without any key.
- This tool decodes only; it does not verify the signature, which only the issuing server can do.
- Time claims exp, iat, and nbf are Unix seconds; the tool converts them into readable dates.
- Common claims include iss (issuer), sub (subject), exp (expiry), and iat (issued at).
- Decoding runs entirely in your browser, so the token is never uploaded or stored.
Frequently Asked Questions (FAQs)
Does this JWT decoder verify the signature?
No. It decodes the header and payload so you can read the claims, but it does not verify the signature. Verifying a token requires the signing secret or public key, which only the server that issued the token holds. A decoded token tells you what it claims, not whether the claims are trustworthy.
Is it safe to paste my token here?
The decoding happens entirely in your browser and the token is never sent anywhere, so this tool does not expose it. As a general habit, though, avoid pasting a live production token into any online tool you do not control, because anyone holding a current token can use it until it expires.
Why can a decoder read my token without a password?
Because the header and payload of a JWT are base64url-encoded, not encrypted. Encoding only makes the data compact and URL-safe; it does not hide it. The signature, not secrecy, is what protects a JWT, so any decoder can read the claims while only a key holder can confirm the token is genuine.
How do I tell if a token has expired?
Look at the exp claim, which is a Unix timestamp in seconds. The decoder converts it into a readable date and compares it with your device clock to show whether the token is expired. If the time is in the past, a server should reject the token even though the decoder can still read it.
What do iss, sub, exp, and iat mean?
They are standard registered claims. The iss claim names the issuer of the token, sub identifies the subject the token is about, exp is the expiry time, and iat is the time the token was issued. Both exp and iat are expressed as Unix seconds, which the decoder turns into dates for you.
What happens if I paste an invalid token?
The decoder handles it gracefully. If the string does not have the three dot-separated parts, or if a part cannot be base64url-decoded as JSON, the tool shows a clear message instead of breaking. You can correct the token and it will decode again as you type.


