A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data exchange. It consists of three parts: a header (algorithm), a payload (claims/data), and a signature — each Base64-encoded and separated by dots.

Does decoding a JWT verify its signature?

This tool decodes and displays the token contents but does not verify the signature without the secret key. To verify a JWT signature, you need the signing key. Decoding only shows what the token contains.

Is it safe to paste a JWT here?

Yes. Decoding happens entirely in your browser. Your token is never sent to any server. However, treat JWTs like passwords — do not share them in public or log them.

🔑 JWT · Header · Payload · Expiry · Browser-Only

JWT Decoder

Paste any JSON Web Token to instantly decode the header, payload, and all claims. Check expiry, algorithm, and issuer at a glance.

Paste your JWT

↖ Paste a JWT token to decode it

🏗️ JWT Structure

A JWT has three Base64URL-encoded parts separated by dots: Header (algorithm & type), Payload (claims), and Signature (verification). This tool decodes all three.

⏱ Expiry Check

The exp claim is a Unix timestamp indicating when the token expires. This tool automatically compares it to current time and highlights expired tokens.

🔒 100% Private

Your JWTs are decoded entirely in your browser. Nothing is sent to any server. Safe to paste real tokens here — they never leave your device.

JWT Decoder — FAQ

Is it safe to paste my JWT here?

Yes — this tool operates entirely in your browser. Your token is never transmitted anywhere. That said, you should still treat JWTs as secrets: they grant access to whatever system issued them, so avoid pasting production tokens into any online tool when possible.

Can this tool verify the JWT signature?

No. Signature verification requires the secret key (for HMAC) or the public key (for RSA/EC), which you should never share. This tool decodes and displays the header and payload — the same data anyone with the token can see.

What do the standard JWT claims mean?

sub (subject) — who the token represents. iss (issuer) — who created the token. aud (audience) — intended recipient. exp — expiry timestamp. iat — issued-at timestamp. nbf — not-before timestamp (token invalid before this time).

What algorithms do JWTs support?

Common algorithms: HS256/HS384/HS512 (HMAC-SHA symmetric), RS256/RS384/RS512 (RSA asymmetric), ES256/ES384/ES512 (ECDSA). Always prefer asymmetric algorithms (RS256, ES256) in production — they allow public verification without exposing the signing key.