JWT Decoder
Token
A JSON Web Token (JWT) has three Base64url-encoded parts separated by dots: header, payload, and signature. This tool decodes and displays all three parts, but the signature is not verified - do not use this to validate token authenticity.
1.
Paste a JWT token into the input field
2.
The header, payload, and signature are decoded instantly in separate panels
3.
Check the expiry time in the Payload panel to see if the token is still valid
▸
Debugging authentication issues by inspecting token claims
▸
Checking token expiry during development without decoding it in code
▸
Verifying the algorithm and claims structure of a token
Does this validate the JWT signature?
This tool decodes the header and payload without verifying the signature. Signature verification requires the secret key and should be done server-side.
Is it safe to paste a production JWT here?
JWTs can contain sensitive claims (user IDs, roles, emails). Decoding runs entirely in your browser with no server transmission, but avoid pasting tokens in shared or public browser sessions.
What are the three parts of a JWT?
A JWT has three Base64url-encoded sections separated by dots: the header (algorithm and token type), the payload (claims), and the signature.
What does "exp" mean in the payload?
"exp" is the expiration time claim - a Unix timestamp after which the token is no longer valid. The tool shows this as a human-readable date.
Is my token sent to a server?
Decoding happens entirely in your browser. The token is never transmitted to any server.