Security And Hashing

JWT Decoder

Paste a JSON Web Token to inspect its header, payload, and claims. Human-readable timestamps for exp, iat, and nbf.

⚠️ Decoding is not verification. This tool decodes the token structure but does not verify the signature. Never trust a decoded token as authentic without verifying its signature against the issuer's public key or secret. Also, do not paste production tokens containing sensitive claims into websites you don't trust — use the sample token below instead.

JWT token

How JWTs work

A JSON Web Token has three dot-separated Base64URL-encoded sections: header.payload.signature. The header identifies the token type and signing algorithm. The payload contains claims — statements about the subject. The signature proves the token was issued by a trusted party.

Decoding reveals the header and payload to anyone. The signature is what makes the token trustworthy — it can only be verified by someone with the issuer's public key or shared secret.

🔒 Privacy

Decoding happens entirely in your browser using Base64URL decoding. The token is never sent to any server. Still, avoid pasting tokens with sensitive payloads into any website you don't control.

FAQ

Why can't this tool verify the signature?

Verifying a JWT signature requires the issuer's public key (RS256/ES256) or shared secret (HS256). This browser tool doesn't have — and shouldn't have — your signing keys. Verification must happen server-side in your application.

What do exp and iat mean?

iat (issued at) is the Unix timestamp when the token was created. exp (expiration time) is when the token expires. nbf (not before) is the earliest time the token is valid. All are Unix timestamps in seconds.

JWT Decoder

Header

Payload

Registered Claims

Signature

How JWTs work

🔒 Privacy

FAQ

Related tools