Paste a JSON Web Token to read its header, payload, and claims — with expiry and issued-at shown as readable dates. Decoded in your browser, never uploaded.
Paste a JSON Web Token to decode it.
Header, payload, and claims.
A JSON Web Token is made of three Base64URL-encoded parts — a header, a payload, and a signature — joined by dots. The header and payload are readable by anyone; only the signature proves the token hasn't been tampered with. This decoder shows you the header and payload so you can inspect claims like the subject, issuer, scopes, and expiry while debugging authentication.
Because everything is decoded locally, you can safely paste tokens that contain personal or session data — nothing is transmitted. Remember to verify the signature server-side before you rely on a token in production.
No. This tool decodes the header and payload so you can read the claims — it does not verify the signature. A JWT's payload is only Base64URL-encoded, not encrypted, so anyone can read it. Always verify the signature on your server before trusting a token.
No. Decoding happens entirely in your browser with JavaScript. Your token never leaves the page, so it's safe to decode tokens that contain sensitive claims.
They are standard JWT time claims, stored as Unix timestamps: 'iat' (issued at) is when the token was created, 'exp' (expires) is when it becomes invalid, and 'nbf' (not before) is the earliest time it may be used. This tool converts them to readable dates and flags expired tokens.
Because a standard JWT is signed, not encrypted. The signature guarantees the token wasn't altered, but the contents are plainly readable. Never put secrets in a JWT payload.