JWT Decoder

Decode any JSON Web Token (JWT) instantly. View the header, payload, and signature. Runs in your browser — your token never leaves your device. Free, no signup.

Paste your JWT
Awaiting token

About JWT Decoder

Frequently asked questions

A JSON Web Token (JWT) is a compact, URL-safe way to represent a signed JSON object. It's three Base64URL-encoded parts separated by dots: header.payload.signature. The header says which algorithm was used to sign it, the payload carries the actual claims (user ID, expiry, scope, etc.), and the signature proves the token wasn't tampered with by someone who doesn't have the signing key.

No — and that's deliberate. Verifying a signature requires the signing key (HMAC secret or public key), which should never leave your server. This tool only decodes the structure so you can read what's in it. Treat the payload as 'asserted, not verified' — useful for debugging, not for trust decisions.

No. The decoder runs entirely in your browser using built-in atob() and JSON.parse(). Your token never leaves your device. The tool works offline once the page has loaded. That said: do not paste production access tokens from a shared computer — anyone with access to the browser history could retrieve them.

The seven standard registered claims defined in RFC 7519 — iss (issuer), sub (subject), aud (audience), exp (expiry), nbf (not-before), iat (issued-at), and jti (JWT ID). Timestamps are converted to ISO format for readability. The 'exp' chip turns red if the token is expired.