JWT Decoder

Inspect header, payload & signature

Encoded Token

0 chars

Decoded Header

The header appears here once you paste a token.

Decoded Payload

The payload appears here once you paste a token.

JWT Signature Verification (optional)

Enter the secret used to sign the token to check its authenticity.

Examples

Decode a token's payload

Input
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0Iiwibm…
Output
{
  "sub": "1234",
  "name": "Ada Lovelace",
  "admin": true
}

Humanised time claims

Input
"exp": 2060000000
Output
Expires — Mar 7, 2035 (in 8 years)

Frequently asked questions

Is my token sent to a server?

No. The token is split and Base64URL-decoded entirely in your browser — it never leaves your machine. Even so, avoid pasting production tokens into any online tool.

Does this verify the signature?

No. Verifying a JWT's signature requires the issuer's secret (HMAC) or public key (RSA/ECDSA), which the decoder doesn't have. It shows the signature segment but cannot confirm the token is authentic — decoding is not verification.

How are exp, nbf and iat shown?

These registered claims are Unix timestamps. The decoder converts them to your local date and time, adds a relative hint like "in 3 days" or "5 hours ago", and flags whether the token is Active, Expired or Not yet valid.

What is a JWT made of?

Three Base64URL parts separated by dots: a header (algorithm and type), a payload (the claims), and a signature. The header and payload are just encoded JSON — not encrypted — so anyone can read them.

Related tools