JWT Decoder
Paste a JWT token to decode its header and payload, read common claims and inspect the signature without verifying the secret.
Decoding happens in your browser. No token is sent to servers.
Decoded result
Local processing: avoid pasting real production tokens if they contain sensitive data.
Common claims
Header
Paste a JWT token and click Decode JWT.
Payload
Paste a JWT token and click Decode JWT.
Signature
Paste a JWT token and click Decode JWT.
Quick answer
The JWT Decoder splits a JWT token into header, payload and signature. It shows decoded JSON, claims such as iss, sub, aud, iat and exp, and helps review tokens used in APIs and authentication.
How to use the JWT Decoder
Paste the full token into the main field and click decode. Read the header to check algorithm and type, inspect the payload to understand claims, and copy the JSON when documenting or debugging an integration.
Available options
You can load a sample token, copy the decoded JSON, download the result as a .json file and clear the page to test another token.
How decoding works
A compact JWT has three Base64URL parts. This tool converts header and payload to UTF-8 text and parses them as JSON. The third part is displayed as a signature, but it is not verified.
Practical example
A token with a payload containing sub=user-123 and role=admin will appear as readable JSON. If exp or iat are present, the tool also shows an approximate local date.
How to interpret the result
The header identifies the token algorithm and type. The payload contains claims about issuer, subject, audience, expiration and permissions. The signature validates integrity, but verification requires a secret or public key outside this decoder.
Useful tips
Never treat a decoded JWT as authentic without verifying its signature on the backend. Avoid pasting real tokens with sensitive data into public tools, even when processing is local.
Frequently asked questions
Does this JWT Decoder verify the signature?
No. This tool decodes header and payload, but it does not verify a secret, public key or cryptographic integrity.
Is JWT encrypted?
Usually no. A signed JWT can be read by anyone who has the token. The signature only helps detect changes.
Are my tokens sent to a server?
No. Decoding happens in your browser using local JavaScript.
What does exp mean in a JWT?
exp is the expiration time as a Unix timestamp. After that time, the application should reject the token.