JWT Decoder
Decode and inspect JWT (JSON Web Token) header, payload, and signature instantly. Free, browser-based, no token sent to servers.
How to Use
- Paste your JWT token into the input box.
- Click Decode (or press Ctrl+Enter / Cmd+Enter).
- The Header, Payload, and Signature are displayed with syntax highlighting.
- Timestamp claims (
exp,iat,nbf) show a human-readable date and expiry status. - Click Copy in any section to copy that JSON to clipboard.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots:
- Header: Specifies the signing algorithm (e.g., HS256, RS256) and token type.
- Payload: Contains claims — statements about an entity (typically the user) and additional metadata.
- Signature: Ensures the token has not been tampered with. Requires the secret or public key to verify.
Common claims include sub (subject), iss (issuer), exp (expiration),
iat (issued at), and aud (audience).
FAQ
Is my JWT token sent to any server?
No. Decoding happens entirely in your browser using JavaScript. Your token never leaves your machine.
Can this tool verify the JWT signature?
Signature verification requires the secret key or public key. This tool decodes and displays the payload without verifying the signature — use it to inspect claims only.
What are the three parts of a JWT?
A JWT is three Base64URL-encoded parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (used to verify integrity).
What does 'exp' mean in the payload?
'exp' is the expiration time claim — a Unix timestamp indicating when the token expires. This tool shows a human-readable date next to the raw value.