JWT Decoder
Decode and inspect JSON Web Tokens. See the header, payload and expiration status.
Key Features
- Decodes any JWT and displays the header, payload, and signature sections clearly.
- Pretty-prints the JSON payload with syntax highlighting for easy inspection.
- Shows the token's expiry (exp), issued-at (iat), and not-before (nbf) claims as human-readable dates.
- Highlights whether the token is currently expired based on the exp claim.
- Runs entirely in the browser — your token is never sent to any server.
- Explains common JWT claims inline so you understand exactly what each field means.
Frequently Asked Questions
Is it safe to paste a JWT into a decoder?
This decoder runs entirely in your browser — the token is never transmitted anywhere. That said, avoid pasting production tokens containing sensitive user data into any online tool when possible.
Does this tool verify the JWT signature?
Decoding and verification are different operations. This tool decodes the header and payload (which are Base64-encoded, not encrypted) but does not cryptographically verify the signature, as that requires the secret or public key.
Why can anyone read the contents of a JWT?
A JWT is signed, not encrypted. The payload is Base64-encoded so it can be read by anyone who holds the token. Sensitive data should never be placed in a JWT payload unless the token is also encrypted (a JWE).
What does the JWT signature actually protect?
The signature ensures the token has not been tampered with. If any part of the header or payload changes after signing, the signature will no longer match and the token will be rejected by the verifying server.