⬡ Security · JWT

JWT Decoder

Paste a JSON Web Token to read what's inside it. The header and payload are Base64URL-decoded and pretty-printed, standard claims like exp and iat become readable dates, and an expiry badge tells you at a glance whether the token is still valid.

Token

Header

Payload

Registered claims

Signature

🔒 Not verified. This tool only decodes the token — it does not check the signature, because that needs the secret or public key. Never trust a decoded payload without verifying the signature server-side.

About this JWT decoder

A JSON Web Token (JWT) packs three Base64URL-encoded parts separated by dots: a header describing the signing algorithm, a payload of claims (the data), and a signature. This decoder splits the token, decodes the header and payload, and pretty-prints them with syntax highlighting. It also reads the registered time claims — exp, iat, and nbf — which are stored as Unix seconds, and shows them as human-readable UTC dates alongside a clear expired / not-expired status.

How to use it

Paste a token in the form header.payload.signature — decoding happens as you type.
Read the decoded Header and Payload side by side.
Check the Registered claims panel for issue, not-before, and expiry times in readable form.
The expiry badge shows green when the token is still valid and red once exp has passed.

Decoding only — no verification

This tool does not verify signatures. Verifying a JWT requires the signing secret (for HMAC) or the issuer's public key (for RSA/ECDSA), and that check belongs on your server, never in a public web page. Treat anything decoded here as untrusted until your backend has verified it.

Is my token private?

Yes. The token is decoded entirely in your browser with plain JavaScript. It is never sent to a server, logged, or stored — nothing leaves the page. Even so, avoid pasting real production tokens into any online tool out of habit.

Does this verify the token is authentic?

No. It decodes and displays the contents only. Signature verification needs a key and must happen on a trusted server; a decoded payload alone proves nothing about authenticity.

Why is the payload readable without a password?

A JWT is signed, not encrypted. The header and payload are merely Base64URL-encoded, so anyone can read them. Never store secrets in a JWT payload — assume it is fully public.

What do exp, iat, and nbf mean?

iat is when the token was issued, nbf the earliest time it's valid (not before), and exp when it expires. All three are Unix timestamps in seconds; this tool converts them to UTC dates for you.