JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe way to carry a set of claims between two parties — most often used as a login or API access token. It has three parts separated by dots: a header (which signing algorithm is used), a payload (the claims, such as who the user is and when the token expires) and a signature (which lets the server check the token has not been tampered with). The header and payload are just Base64url-encoded JSON, which is why this tool can show their contents instantly.

The decoding happens entirely in your browser — the token is never uploaded, and you can confirm that in your browser’s network panel. That said, a JWT is usually a live credential, so treat it like a password: only paste tokens from test or development environments, and never share a screenshot or a link containing a real production token. The optional signing secret you enter to verify a signature also stays on your device and is deliberately left out of share links and history.

Yes. The header and payload are only Base64url-encoded, not encrypted, so anyone holding the token can decode and read them — exactly as this tool does. The signature stops someone altering the claims without being detected, but it does not hide them. The practical rule: never put anything secret (passwords, card numbers, private personal data) in a JWT payload. If the contents must stay confidential, you need an encrypted token (JWE) instead.

These are the registered (standard) claims. “iss” is the issuer, “sub” the subject (usually the user the token is about), and “aud” the intended audience. The time claims are Unix timestamps: “iat” is when the token was issued, “nbf” the time before which it must not be accepted, and “exp” when it expires. This tool converts those timestamps into readable dates and tells you at a glance whether the token is currently valid, not yet valid, or expired.

No — decoding and verifying are different things. Decoding just reads the Base64url contents, which works for any token regardless of whether the signature is genuine. Verifying checks that the signature was produced with the correct key and that the token has not expired. A decoded payload you can read is not proof the token is authentic; only a successful signature check against the right secret or public key proves that.

If the token uses an HMAC algorithm (HS256, HS384 or HS512), paste the shared signing secret into the “Verify signature” box and the tool recomputes the signature locally with the Web Crypto API and tells you whether it matches. Tokens signed with RSA or ECDSA (RS256, ES256 and similar) are verified with a public key rather than a shared secret; this tool decodes those fully but does not perform their signature check. The secret you type is used only in your browser and is never stored or shared.