Free JWT decoder. Paste a JSON Web Token and instantly see its decoded header and payload, the signing algorithm, and every claim, with iat, nbf and exp shown as human-readable dates and a clear expired or valid status. Everything is decoded in your browser; the token is never sent anywhere. Note that decoding does not verify the signature, which requires the signing key.
A JSON Web Token is three base64url-encoded parts joined by dots: header.payload.signature. The header names the signing algorithm (such as HS256 or RS256). The payload holds the claims, including the standard ones: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued at) and nbf (not before). The signature is what a server checks to prove the token has not been tampered with. This tool decodes the header and payload and shows the time claims as human dates with a clear expiry status.
A JWT is encoded, not encrypted. Anyone who has the token can read its payload, which is exactly what this tool does, so never put secrets or sensitive personal data in a JWT. Decoding also does not prove the token is genuine: only verifying the signature with the issuer's key does that. Treat a decoded payload as untrusted input until your server has verified the signature.
A JSON Web Token is a compact, URL-safe token format used for authentication and authorization. It carries signed claims (such as who the user is and when the token expires) in three base64url-encoded parts.
No. A standard JWT is base64url-encoded, not encrypted, so anyone holding it can read the payload. The signature protects against tampering, not against reading. Do not store secrets in a JWT.
Paste the token into the tool above. It splits the token, base64url-decodes the header and payload, and displays the claims with the issued, not-before and expiry times as readable dates. Everything happens in your browser.
No. Decoding only reveals the contents. Verifying a JWT means checking its signature against the signing key, which must be done server-side. A decoded token should never be trusted on its own.