JWT Decoder
Decode a JWT token to view its header, payload and expiry — client-side only.
Decode any JWT — locally in your browser
A JWT (JSON Web Token, pronounced “jot”) is a signed, base64url-encoded blob used for authentication and authorization. It has three parts separated by dots: header.payload.signature. The header and payload are just base64url-encoded JSON — you can read them without knowing the signing key. The signature is what binds the two halves together.
What this tool shows
- Header. Typically contains
alg(signing algorithm) andtyp(always “JWT”). - Payload. The actual claims — who the token is about, when it expires, what scopes it has.
- Signature. Displayed as-is. Verifying it requires a key this tool does not have.
- Expiration banner. If the payload contains an
expclaim, the tool shows whether it has already passed.
Why signatures are not verified here
Verifying an HS256 signature requires the shared secret between client and server — something you should never paste into a web tool. Verifying an RS256 signature requires the issuer’s public key, which is fetchable but rarely what casual token-inspection needs.
If you need to verify a token, use a library like jose in Node.js, pyjwt in Python, or the native JWT validation in your framework.
Privacy
The entire decode happens in your browser. No token is ever sent to a server, logged, or stored.
Frequently asked questions
- Does this tool verify the signature?
- No — and no browser-only tool can, safely. Verifying a signature requires the issuer's secret (for HS256) or their public key (for RS256 / ES256). If you need verification, use a server-side library or jwt.io with your own keys.
- Is it safe to paste a token here?
- Yes. The decoder runs entirely in your browser — the token is parsed locally and no network request is made. That said, you should still rotate any token you've pasted into a tool you don't control, as a matter of habit.
- What do "exp" and "iat" mean?
- `exp` (expiration time) is the timestamp after which the token is invalid. `iat` (issued at) is the timestamp when the token was created. Both are expressed in seconds since the Unix epoch.