Free Tool · No signup required

JWT Decoder

Decode JWT header, payload, and signature — runs entirely in your browser

JWT Tokennever sent to server · browser-only

Paste a JWT above or click Sample — your token stays in your browser

Paste any JWT and instantly see the decoded header (algorithm, token type) and payload (claims, expiry, issued-at) in readable JSON. The signature section is displayed but not verified — decoding only. Your token never leaves your browser; no data is sent to any server.

How to Decode a JWT

Paste your token and instantly see header, payload, and signature — browser-only.

1
Step 1

Paste your JWT

Copy a JWT from your Authorization header, cookie, or local storage and paste it into the input. The token format is validated instantly — a valid JWT has three dot-separated Base64URL segments.

2
Step 2

Inspect header and payload

The header shows the signing algorithm (e.g. HS256, RS256) and token type. The payload shows all claims — sub, iss, aud, exp, iat, and any custom claims — formatted as readable JSON.

3
Step 3

Check expiry and claims

The exp and iat timestamps are shown in human-readable local time so you can see at a glance whether the token is still valid. Your token never leaves your browser.

Features

Runs entirely in your browser using Base64URL decoding — zero server calls

Decodes the header (algorithm, token type) and payload (all claims) instantly

Displays exp, iat, and nbf timestamps in human-readable local time

Shows a clear VALID or EXPIRED status banner based on the exp claim

Signature section displayed but not verified — decoding only

Copy header or payload as formatted JSON with one click

Click Sample to decode a real example token immediately

Free, no sign-up — your tokens never leave your browser

Related Tools

JSON FormatterJSON to YAMLText Diff CheckerCSV to JSONColor Palette Generator

Frequently Asked Questions

Is it safe to paste my JWT into this tool?

Yes. Decoding runs entirely inside your browser — your token is never sent to any server, logged, or stored anywhere. It uses Base64URL decoding with no network requests.

What is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe token used to securely transmit information between parties. It has three Base64URL-encoded sections separated by dots: a Header (algorithm and type), a Payload (claims such as user ID and expiry), and a Signature.

Does this tool verify the JWT signature?

No. Signature verification requires the secret or public key used to sign the token, which is never available to a client-side tool. This tool only decodes the header and payload.

What does 'Token is EXPIRED' mean?

The exp claim is a Unix timestamp. If that timestamp is in the past on your device, the token is considered expired. A valid status means the token has not yet expired — it does not mean the signature has been verified.

What are the most common JWT claims?

sub (subject — usually a user ID), iss (issuer), aud (audience), exp (expiry Unix timestamp), iat (issued-at Unix timestamp), nbf (not-before timestamp). Custom claims like name, email, and role are also commonly included.

Why does my JWT have three parts separated by dots?

The three parts are Header, Payload, and Signature — each independently Base64URL-encoded. Changing any character in the header or payload would invalidate the signature.