Security tools
JWT Decoder
Paste a JSON Web Token to split and decode its header, payload, and claims. Runs entirely in your browser — your token is never uploaded.
What JWT claims show
A JWT has three dot-separated parts: a header, a payload, and a signature. The header describes the algorithm used to sign it. The payload holds the claims — standard fields like sub (subject), iss (issuer), exp (expiration), and iat (issued-at), plus any custom claims the issuing system added. The signature protects the token from tampering but cannot be decoded without the signing key.
This tool decodes the header and payload from Base64URL into readable JSON, converts time-based claims to local and UTC times, and shows whether the token is currently expired.
Decode is not the same as verify
Decoding reads what is inside the token. Anyone who has the token can decode it — the header and payload are encoded, not encrypted.
Verifying the signature checks that the token was issued by a trusted party and has not been tampered with. That requires the secret (for HMAC algorithms) or the public key (for RSA and ECDSA) used to sign it. Verification is a server-side operation and is outside the scope of this tool.
If you need to check whether a JWT is valid to accept it from a user, do that in your backend using a JWT library, not a browser-based decoder.
Common uses
- Check the
expclaim to find out why a token is being rejected as expired. - Inspect
sub,iss,aud, and scope claims when integrating with an OAuth or OIDC provider. - Confirm the
algfield in a sample token when reviewing API documentation. - Read custom claims to understand what data a system embeds in its tokens.
- Share what a token looks like with a colleague without sharing the signing key.
Related security tools
Use the Hash Generator to create SHA digests from text, the Base64 Encoder Decoder to inspect individual encoded values, and the JSON Formatter to clean up the claims you copy out of a token.
FAQ
Does this upload my JWT?
No. Decoding runs in JavaScript in your browser. The token is never sent to a server.
Does this verify the JWT signature?
No. This tool only decodes — it reads the header and payload, which are Base64URL-encoded but not encrypted. Verifying the signature requires the secret or public key used to sign the token. That is a server-side check, not something a browser-based decoder can do.
Can I decode a JWT without the signing secret?
Yes. The header and payload are encoded, not encrypted. Any JWT can be decoded by splitting on dots and Base64URL-decoding the first two parts. The signature cannot be decoded as readable text, but the claims in the payload are fully readable.
What are exp, iat, and nbf?
Standard JWT time claims. exp is when the token expires, iat is when it was issued, and nbf is the earliest time it can be used. All three are Unix timestamps — seconds since January 1, 1970 UTC.
My token has five parts instead of three. What does that mean?
That is a JWE (JSON Web Encryption) token. JWE tokens are encrypted, so the payload cannot be decoded without the private key. This tool only handles signed JWS tokens, which have three parts.
Why does it say the token is expired when I just received it?
Check that your device clock is correct. Expiry is compared against your local clock. If your device is set to the wrong time, tokens may appear expired or not-yet-valid. Also confirm with the token issuer that the exp time is set correctly.
Is the token stored anywhere?
No. Nothing is saved. Closing or refreshing the page clears everything.