JWT Decoder

Decode and inspect JSON Web Tokens — view the header, payload, and signature with syntax highlighting. Timestamps are automatically converted to human-readable dates. Everything runs in your browser — nothing is uploaded.

shield

Privacy: This tool decodes JWTs entirely in your browser. No token data is sent to any server. Avoid pasting tokens that contain sensitive secrets in shared or public environments.

How to use JWT Decoder

  1. 1
    Paste your JWT token

    Click the token input field and paste your JWT. The decoder starts parsing immediately as you type or paste — no button press needed.

  2. 2
    Inspect the Header and Payload tabs

    Switch between the Header, Payload, and Signature tabs to explore each part of the token. Keys are highlighted in teal, strings in dark, numbers in amber, and booleans in violet for easy reading.

  3. 3
    Check timestamps and expiry

    Fields like iat (issued at), exp (expiration), and nbf (not before) are automatically converted to human-readable dates. Expired tokens are flagged in red; active tokens show a countdown in the status bar.

  4. 4
    Copy the decoded output

    Use the Copy Header or Copy Payload buttons for individual sections, or Copy All to grab the complete decoded output for use in debugging or documentation.

Frequently Asked Questions

What is a JWT token?

A JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID and expiry), and a signature used to verify authenticity.

Is it safe to paste my JWT here?

This tool runs entirely in your browser — no token data is ever sent to a server. That said, JWTs can contain sensitive user information, so avoid pasting production tokens in shared, public, or untrusted environments. For testing, use short-lived tokens or sample tokens.

What do iat, exp, and nbf mean in a JWT payload?

These are standard registered claim names. 'iat' (issued at) is the Unix timestamp when the token was created. 'exp' (expiration time) is when the token expires and should be rejected. 'nbf' (not before) is the earliest time the token is valid. All three are Unix timestamps (seconds since January 1, 1970).

Can this tool verify a JWT signature?

No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256/ES256). Since keys should never be exposed to a browser, this tool only decodes the header and payload. For server-side verification, use a JWT library in your application code.

What JWT signing algorithms are supported?

This decoder can parse tokens signed with any algorithm — HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, and more — since decoding the header and payload only requires base64url decoding, not cryptographic verification. The algorithm is displayed in the status bar and header panel.

Related Tools

terminal

Base64

Encode and decode Base64 strings instantly.

code

JSON Formatter

Clean, minify, and validate JSON data structures.

tag

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Supports HMAC authentication codes.

lock

Password Gen

Highly secure, random entropy generation.

schedule

Unix Timestamp

Unix timestamps to human dates, multiple timezones.