JWT Decoder
Paste a JSON Web Token to instantly decode and inspect the header, payload, and signature. Your tokens never leave your browser.
Paste a JWT token above to decode it
Or click to try it out
Frequently Asked Questions
Common questions about JWT Decoder
Paste your JWT token (the long string starting with 'eyJ...') into the input field. The tool instantly decodes and displays the header (algorithm, type), payload (all claims including sub, iat, exp), and signature section with color coding.
With this tool, yes. JWT decoding only requires Base64 decoding which happens entirely in your browser. Your token is never sent to any server. However, you should never paste tokens into online tools that make server requests, as the token could be intercepted.
The tool automatically reads the 'exp' (expiration) claim from the payload and shows whether the token is currently valid or expired, along with the exact expiration date and time and how long ago it expired.
The header contains metadata about the token — the signing algorithm (e.g., HS256, RS256) and token type. The payload contains the actual claims — user ID, roles, permissions, expiration time, and any custom data the issuer included.
This tool decodes and displays JWT contents but does not verify signatures, as that requires the secret key or public key. For security, signature verification should be done server-side in your application.