Is the JWT decoder safe to use?

Yes. All decoding happens in your browser using JavaScript. Your token is never sent to any server. Your file never leaves your browser.

Does this verify JWT signatures?

No. This tool only decodes the base64url-encoded header and payload. Signature verification requires the secret key, which you should never share publicly.

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It consists of three parts: Header.Payload.Signature, all base64url-encoded.

What does 'iat' and 'exp' mean?

'iat' is the 'issued at' timestamp (Unix seconds). 'exp' is the 'expiration time' timestamp. This tool shows whether the token has expired.

Can I decode expired tokens?

Yes. This tool decodes any well-formed JWT regardless of expiry. It simply shows the decoded data and flags the expiry status.

JWT Decoder — Decode JSON Web Tokens Online

Paste a JWT to decode its header and payload instantly in your browser.

🔒 Your file never leaves your browser. Tokens are decoded locally using JavaScript.

JWT Token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature (base64url, not verified)

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

⚠ Signature verification requires your secret key. Never share your JWT secret publicly.

How to Decode a JWT Token Online

1
Paste your JWT
Paste a JSON Web Token into the input field. The token consists of three base64url-encoded parts separated by dots.
2
View decoded header and payload
The header and payload are decoded instantly and displayed as formatted JSON below.
3
Check expiry and claims
The tool highlights the expiry status and key claims like 'sub' (subject), 'iss' (issuer), and 'iat' (issued at).

Frequently Asked Questions

Related Dev Tools

JSON Formatter Base64 Encoder/Decoder Hash Generator