JWT Decoder

Paste a JWT to decode its header and payload, inspect claims, and check expiry. Never sent to a server.

Runs in your browser
🔒 Your token never leaves this browser. Decoding happens 100% client-side.
Paste JWT Token

How to Use the JWT Decoder

  1. Paste your JWT token (the full xxxxx.yyyyy.zzzzz string) into the input field.
  2. The header and payload sections are decoded and displayed immediately as formatted JSON.
  3. Review the algorithm, expiry (exp), issued-at (iat), and any custom claims in the payload.

About the JWT Decoder

JSON Web Tokens (JWTs) are the standard mechanism for transmitting authentication and authorization information in modern web applications. A JWT consists of three Base64URL-encoded parts: the header (algorithm and token type), the payload (claims such as user ID, roles, and expiry), and the signature (used for server-side verification). This decoder reveals the header and payload instantly — useful during development for debugging auth issues, checking token expiry, or inspecting claim values. The signature is not verified client-side, but since decoding is 100% local, your token is never sent anywhere.

Frequently Asked Questions

Is it safe to paste my JWT here?
Yes. All decoding happens in your browser using JavaScript's atob() function — your token is never transmitted to any server or stored anywhere. That said, avoid pasting production tokens containing sensitive data in shared or public environments as a general security practice.
What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It is commonly used to represent authentication claims between a client and server. A JWT has three parts separated by dots: a Base64URL-encoded header, a Base64URL-encoded payload, and a cryptographic signature.
Can I verify the JWT signature here?
Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/EC algorithms like RS256). This tool decodes the header and payload only. Signature verification should be performed server-side using your auth library.
What does the payload contain?
The payload contains claims — statements about the token subject. Standard claims include: sub (subject/user ID), exp (expiry time as Unix timestamp), iat (issued at time), nbf (not valid before), and iss (issuer). Applications commonly add custom claims like roles, email, or permissions.