About the JWT Decoder
A JWT consists of three Base64URL-encoded parts separated by dots: a header describing the signing algorithm, a payload carrying claims, and a signature. While the signature proves authenticity, the header and payload are merely encoded — not encrypted — so anyone can read them. This decoder splits the token and Base64URL-decodes the first two segments into readable JSON.
Crucially, decoding happens entirely client-side. Because access tokens are sensitive credentials, pasting them into a server-backed tool is risky; here, nothing is transmitted. The decoder also surfaces standard claims like iat, exp and nbf so you can quickly check whether a token has expired.
How to use the JWT Decoder
- 1Paste the full JWT into the input field.
- 2Read the decoded header and payload as formatted JSON.
- 3Check the exp claim to see whether the token is still valid.
Key benefits
- Tokens are decoded locally and never uploaded.
- See header, payload and standard claims clearly.
- Human-readable expiry and issued-at times.
Real-world examples
Debug an auth issue
Inspect the claims in a bearer token from an API call.
Check expiry
Confirm whether a token has expired via its exp claim.
Frequently asked questions
Does this verify the signature?+
No. Decoding reveals the claims but does not verify the signature, which requires the secret or public key. Never trust an unverified token on the server.
Is it safe to paste a real token?+
Yes — decoding is performed entirely in your browser and nothing is sent anywhere. Still, treat production tokens with care.
Why can I read the payload — isn't it secret?+
JWT payloads are encoded, not encrypted. Never put secrets in a JWT payload; assume anyone can read it.