JWT Decoder
Paste a JSON Web Token to inspect its header, payload, and claims. Human-readable timestamps for exp, iat, and nbf.
Header
Payload
Registered Claims
Signature
The signature is Base64URL-encoded. This tool does not verify it.
How JWTs work
A JSON Web Token has three dot-separated Base64URL-encoded sections: header.payload.signature. The header identifies the token type and signing algorithm. The payload contains claims — statements about the subject. The signature proves the token was issued by a trusted party.
Decoding reveals the header and payload to anyone. The signature is what makes the token trustworthy — it can only be verified by someone with the issuer's public key or shared secret.
Common uses
- API debugging — decode the token from an
Authorizationheader to check the subject, scopes, or role claims mid-session - Expired token diagnosis — inspect the
expclaim to confirm whether a 401 error is caused by token expiry - OAuth / OIDC inspection — check the issuer (
iss), audience (aud), and nonce in an ID token received from an OAuth provider - Token generation testing — verify that your backend is embedding the correct claims before deploying
🔒 Privacy
Decoding happens entirely in your browser using Base64URL decoding. The token is never sent to any server. Still, avoid pasting tokens with sensitive payloads into any website you don't control.
FAQ
Why can't this tool verify the signature?
Verifying a JWT signature requires the issuer's public key (RS256/ES256) or shared secret (HS256). This browser tool doesn't have — and shouldn't have — your signing keys. Verification must happen server-side in your application.
What do exp and iat mean?
iat (issued at) is the Unix timestamp when the token was created. exp (expiration time) is when the token expires. nbf (not before) is the earliest time the token is valid. All are Unix timestamps in seconds.