JWT Decoder

Decode a JSON Web Token to read its header and payload claims.

Decoding only — the signature is not verified. Don’t paste production tokens.

Frequently asked questions

What is a JWT?

A JSON Web Token is a compact, URL-safe token with three Base64URL parts separated by dots: a header, a payload of claims, and a signature. It is widely used for authentication and API access.

Does this verify the signature?

This tool decodes and displays the header and payload so you can inspect the claims. It does not verify the signature, because that requires the secret or public key — decoding is safe and read-only.

Is it safe to paste a token here?

Decoding happens on our server over HTTPS and nothing is stored, but a JWT can be a live credential. Do not paste production tokens you would not want seen; prefer expired or test tokens.

What do exp and iat mean?

exp is the expiry time and iat is the issued-at time, both as Unix timestamps. The tool shows them in a readable form so you can tell if a token is still valid.