{ "alg": "HS256", "typ": "JWT" }
{ "sub": "usr_8x42", "name": "Ada Lovelace", "iat": 1751961600, "exp": 1783497600 }
The JWT decoder splits a JSON Web Token into its three parts — header, payload and signature — and decodes the base64url-encoded header and payload into readable JSON. It also reads the standard time claims so you can see at a glance whether a token has expired.
Decoding happens entirely in your browser. The token you paste is never uploaded, which matters because JWTs frequently carry access credentials — you can safely inspect a real production token without it leaving your machine.
It is built for developers debugging auth: check what claims a token carries, confirm the issuer and audience, see when it was issued and when it expires, and understand why a request is being rejected.
A JWT is three base64url-encoded segments joined by dots. The decoder converts the header and payload from base64url — which uses - and _ instead of + and / and drops padding — back into JSON, so you can read the claims directly.
The third segment is a signature computed by the issuer using a secret or private key. Without that key the signature cannot be validated, and the key should never be pasted into a web tool. The decoder shows the signature but does not claim the token is authentic — treat decoded claims as unverified.
The decoder reads the registered claims exp (expiry), iat (issued-at) and nbf (not-before), which are Unix timestamps in seconds. It shows human-readable times and flags a token whose exp is in the past as expired.
Alongside the timestamps you will typically see iss (issuer), aud (audience), sub (subject) and jti (token id). These identify who issued the token, who it is for and which principal it represents — useful when a token works against one service but not another.
No. Decoding only reveals the claims; it does not check the signature. A token could be tampered with or forged and still decode. Signature verification requires the issuer's secret or public key, which you should never paste into a web tool.
The decoding is done entirely in your browser and the token is never uploaded, so it does not leave your machine. That said, treat any token you paste anywhere as potentially exposed and rotate it if in doubt.
The signature is computed with a secret or private key held only by the issuer. Without that key it is impossible — by design — to verify the signature, and entering a secret into any online tool is unsafe.
The decoder reads the exp claim, a Unix timestamp in seconds, and marks the token expired if that time is in the past. It also shows iat and nbf so you can see the full validity window.
A JWT must have three dot-separated base64url segments. If a part is missing, truncated, or the encoding is corrupted, decoding fails. Make sure you copied the whole token with no line breaks.