Paste any JWT to decode its header and payload. Expiry and issued-at times are shown in human-readable format.
A JSON Web Token (JWT) consists of three Base64url-encoded parts separated by dots: Header.Payload.Signature. The header contains the algorithm type (e.g., HS256, RS256). The payload contains claims — standard fields like sub (subject), iat (issued at), exp (expiry), and aud (audience), plus any custom claims added by the application. The signature is a cryptographic hash of the header and payload.
This tool decodes the header and payload by Base64url-decoding each segment and parsing the resulting JSON. The expiry timestamp (exp) is displayed as a human-readable date. Important: decoding a JWT does not verify its authenticity — the signature is not validated here, as that requires the secret key or public key from the server. A decoded JWT shows you what claims it contains; only server-side signature verification confirms those claims are trustworthy. Never trust decoded JWT claims for access control in a browser.
A JWT (JSON Web Token) is a compact, URL-safe token format used to securely transmit information between parties. It consists of three Base64url-encoded parts: a header (algorithm), a payload (claims), and a signature, separated by dots.
Decoding a JWT is safe — it only reads the header and payload, which are not encrypted (just Base64url-encoded). However, avoid pasting production JWTs containing sensitive user data into any online tool. This tool processes everything locally in your browser; nothing is sent to a server.
JWT claims are statements about the token's subject. Standard claims include: 'sub' (subject — usually a user ID), 'iat' (issued at timestamp), 'exp' (expiry timestamp), 'aud' (audience), and 'iss' (issuer). Applications can also add custom claims like user roles or permissions.
Decoding reads the payload without any validation — anyone can decode any JWT. Verifying checks the signature using the issuer's secret or public key, confirming the token hasn't been tampered with and comes from a trusted source. Always verify on the server side before trusting JWT claims.