JWT decoder
Inspect a JWT token’s header and claims.
- Instant
- Free
- Private (processed locally)
- No sign-up
See what your token actually carries
A JWT looks like noise — it is actually base64url-encoded JSON, readable by anyone. Paste a token: the tool splits and decodes the header and payload, pretty-prints the JSON, converts timestamps into dates and tells you whether the token has expired.
Anatomy of a JWT
| Part | Content | Example |
|---|---|---|
| Header | Algorithm and type | {"alg":"HS256","typ":"JWT"} |
| Payload | The claims (business data) | {"sub":"1234567890","exp":1716239022} |
| Signature | HMAC or asymmetric signature | SflKxwRJ… (encoded binary) |
Registered claims worth knowing
- iss (issuer): who issued the token — your authentication server.
- sub (subject): who it is about — the user identifier.
- aud (audience): who it is intended for — the API that should accept it.
- exp / nbf / iat: the temporal validity window, as Unix timestamps.
Security reminder: decoding is not verifying. A plausible-looking token can be forged; only server-side signature verification (with the right key and algorithm) is authoritative. Never store secrets in the payload: it is public.
Frequently asked questions
What is a JWT?
A JSON Web Token (RFC 7519) is a compact token made of three base64url-encoded parts separated by dots: a header (algorithm), a payload (the claims: identity, expiry…) and a signature that guarantees its integrity.
Is decoding a JWT the same as “cracking” it?
No. The header and payload are not encrypted, just base64url-encoded: anyone can read them. JWT security relies on the signature, which prevents modification, not reading.
Does this tool verify the signature?
No, deliberately: it decodes and displays the content, nothing more. Signature verification requires the secret or public key and must happen server-side. Never trust a token based solely on its decoded content.
What do exp, iat and nbf mean?
They are Unix timestamps: exp = expiry date, iat = issued-at date, nbf = date before which the token is invalid. The tool converts them to readable dates and tells you whether the token has expired.
Is it safe to paste a real token here?
Decoding is 100% local; nothing is transmitted. As a hygiene measure, still avoid handling valid production tokens outside secure environments, and revoke any token exposed by accident.