JWT Decoder

Decode and inspect JSON Web Tokens instantly. View header, payload, and signature with expiration status. Everything runs in your browser.

100% Private Instant No Limits

Paste JWT Token

Security Warning: This token uses alg:none — it is accepted unsigned. This is a known attack vector (CVE-2015-9235). Do not trust this token for authentication.

Header

Payload

Signature

Payload Claims

Verify Signature ()

Secret

How It Works

Paste Your Token

Paste any JWT token into the input field. The tool automatically detects the three-part structure (header.payload.signature).

Instant Decode

The header and payload are Base64-decoded and displayed as formatted JSON with syntax highlighting and color-coded sections.

Check Expiration

Timestamp claims (exp, iat, nbf) are automatically converted to human-readable dates, and expiration status is shown at a glance.

Frequently Asked Questions

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange between parties. It consists of three Base64-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a cryptographic signature.

Yes. All decoding happens entirely in your browser. Your token is never transmitted to any server or stored anywhere. However, remember that JWTs are not encrypted -- anyone with the token can read the payload. This tool only decodes; it does not verify signatures.

No. Signature verification requires the secret key or public key used to sign the token, which this tool intentionally does not ask for. This is a decoder and inspector, not a validator. For signature verification, use your application's JWT library.

iss (issuer) identifies who created the token. sub (subject) identifies the user. aud (audience) identifies the intended recipient. exp (expiration) is when the token becomes invalid. iat (issued at) is when the token was created. nbf (not before) is the earliest time the token is valid.