JWT Decoder
A JSON Web Token (JWT) is three base64url-encoded segments separated by dots: a header, a payload of claims, and a signature. This tool decodes the header and payload to readable JSON entirely in your browser — your token is never sent to a server. Numeric iat and exp claims are also shown as human-readable ISO timestamps.
How It Works
- Paste a JWT in the left editor
- The decoded header and payload appear instantly as JSON
- iat and exp claims are translated to readable timestamps
- Copy or download the decoded output
Note: this tool does not verify signatures. Decoding shows what a token claims, but only signature verification with the signing key proves the token is authentic and untampered.
Frequently Asked Questions
Is it safe to paste a JWT here?
Yes. Decoding happens entirely in your browser — the token is never transmitted to any server. Still, treat production tokens as secrets and avoid sharing them.
Does this verify the signature?
No. This tool decodes the header and payload only. Verifying the signature requires the signing key (the shared secret for HS256 or the public key for RS256).
Why is my JWT invalid?
A JWT must have exactly three dot-separated segments, and the first two must be base64url-encoded JSON. Tokens with a wrong segment count or corrupted encoding will show an error.