trace·warrior
  • Tools
  • Monitoring
  • Pricing
  • Resources
  • About
Sign inGet started
trace·warrior

Network diagnostics for IT professionals. Built for speed, accuracy, and the long tail of the Friday afternoon outage.

ALL SYSTEMS NOMINAL
Tools
  • DNS Lookup
  • Ping Test
  • Port Checker
  • WHOIS
  • See all
Product
  • Monitors
  • Pricing
  • How-to guides
  • Compare
Resources
  • Blog
  • API docs
  • Tool index
  • Contact
Company
  • About
  • Privacy
  • Terms
  • Cookie policy
© 2026 Trace Warrior · made for engineers, by engineersnetwork forensics, quietly
/
/
tools/encoding & hashing/jwt-decoder
Encoding & Hashing

JWT Decoder

Free JWT decoder. Paste a JSON Web Token and instantly see its decoded header and payload, the signing algorithm, and every claim, with iat, nbf and exp shown as human-readable dates and a clear expired or valid status. Everything is decoded in your browser; the token is never sent anywhere. Note that decoding does not verify the signature, which requires the signing key.

Decoded in your browser. The token is never sent anywhere.

What is inside a JWT

A JSON Web Token is three base64url-encoded parts joined by dots: header.payload.signature. The header names the signing algorithm (such as HS256 or RS256). The payload holds the claims, including the standard ones: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued at) and nbf (not before). The signature is what a server checks to prove the token has not been tampered with. This tool decodes the header and payload and shows the time claims as human dates with a clear expiry status.

Decoding is not verifying

A JWT is encoded, not encrypted. Anyone who has the token can read its payload, which is exactly what this tool does, so never put secrets or sensitive personal data in a JWT. Decoding also does not prove the token is genuine: only verifying the signature with the issuer's key does that. Treat a decoded payload as untrusted input until your server has verified the signature.

Frequently asked questions

What is a JWT?

A JSON Web Token is a compact, URL-safe token format used for authentication and authorization. It carries signed claims (such as who the user is and when the token expires) in three base64url-encoded parts.

Is a JWT encrypted?

No. A standard JWT is base64url-encoded, not encrypted, so anyone holding it can read the payload. The signature protects against tampering, not against reading. Do not store secrets in a JWT.

How do I decode a JWT?

Paste the token into the tool above. It splits the token, base64url-decodes the header and payload, and displays the claims with the issued, not-before and expiry times as readable dates. Everything happens in your browser.

Does decoding a JWT verify it?

No. Decoding only reveals the contents. Verifying a JWT means checking its signature against the signing key, which must be done server-side. A decoded token should never be trusted on its own.

Related tools

  • Base64 Encoder / Decoder →
  • Hash Generator →
  • URL Encoder / Decoder →