JWT Decoder
Local processing · never uploadedDecode a JSON Web Token to read its header, payload and signature — 100% in your browser.
What is JWT Decoder?
JWT Decoder is a fast, free online tool that decodes a JSON Web Token (JWT) so you can read its contents instantly. A JWT is made of three Base64URL-encoded parts joined by dots in the form header.payload.signature. This tool splits the token, decodes the header and payload back into readable JSON, and shows the raw signature segment — all entirely inside your browser.
The first part, the header, describes how the token is signed — typically the algorithm (alg, such as HS256 or RS256) and the token type (typ, usually JWT). The second part, the payload, carries the claims: the actual data the token asserts. You will often see registered claims such as iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at) and nbf (not before). Time claims are Unix timestamps in seconds, so this decoder converts exp, iat and nbf into your local date and time to make them easy to read, and shows whether the token is currently expired.
It is important to understand that decoding a JWT is not the same as verifying it. The header and payload are only Base64URL-encoded, not encrypted, so anyone who holds the token can read them — never put secrets in a payload. The third segment, the signature, is what proves the token was issued by a trusted party and has not been tampered with. Verifying that signature requires the secret or public key and is a separate cryptographic step. This tool is decode-only: it deliberately does not verify the signature. Do not trust the contents of an unverified token for any security decision in real systems — always verify on the server with the correct key.
Everything runs locally in your browser. The token you paste is never sent to a server, logged or stored, so it is safe to inspect access tokens, ID tokens and other sensitive JWTs while debugging an API, an OAuth or OpenID Connect flow, or a login problem. Use it together with a Base64 tool to inspect individual segments, or a JSON formatter to pretty-print the decoded claims.
FAQ
Does this verify the signature?
No. This tool is decode-only — it reads the header and payload but does not verify the signature. Verifying a JWT requires the secret or public key and must be done on the server. Never trust an unverified token for security decisions.
What are the three parts of a JWT?
A JWT is header.payload.signature. The header and payload are Base64URL-encoded JSON, and the signature is a cryptographic value that proves the token is authentic. The two dots separate the three parts.
Why can I read the payload without a key?
Because a standard JWT payload is only encoded, not encrypted. Base64URL is fully reversible, so anyone with the token can read its claims. For that reason you should never store secrets inside a JWT payload.
What do exp, iat and nbf mean?
They are time claims expressed as Unix timestamps in seconds: exp is when the token expires, iat is when it was issued, and nbf is the earliest time it is valid. This decoder shows each as your local date and time.
Is my token sent to a server?
No. Decoding happens entirely in your browser. The token you paste is never uploaded, logged or stored, so it is safe to inspect sensitive access or ID tokens here.