JWT Decoder
Decode and inspect JSON Web Tokens instantly — no data sent to servers, never.
What is a JWT and what does decoding reveal?
A JSON Web Token (JWT) is a compact, URL-safe token with three Base64URL-encoded parts: a header (algorithm and type), a payload (claims about the user or session), and a signature. Decoding the header and payload requires no secret — it's public data. The signature proves integrity but can only be verified with the original key, which stays on your server.
Claims, expiry, and common debugging scenarios
The payload carries standard claims: sub (subject / user ID), iss (issuer), exp (expiration timestamp), iat (issued at), nbf (not before). The most common debugging need is checking whether a token is expired — the decoder shows exp as a human-readable date alongside the raw timestamp. Custom claims added by your auth service also appear in full.
Security: what you can and cannot do here
This tool decodes (base64-decodes) the header and payload — it does not verify the signature. Verification requires the secret or public key, which you should never paste into a third-party tool. Decoding is safe: there is no secret involved, and because all processing happens in your browser, the token never reaches any server. Use this tool to inspect claims, not to validate tokens in production.